The second thing to note is that there are a lot more new names credited on this CPU. This is interesting; it means that whilst some of the normal "security" names are still there there are a lot of new names; does this mean we have more Oracle security researchers (i.e. people just concentrating on Oracle) - I think, No; I think we are starting to see a change to the more mainstream in that other people are now thinking about security, noticing security issues and reporting them to Oracle. Is this good - yes, is it bad for Oracle, in that more people will find bugs? - no, it has to be good that people are starting to take security of data more seriously.
And the third thing (OK, i said two, this is a bonus!), is that whilst there are less database and app server bugs in terms of trend there are 9 bugs in Oracle secure backup all with a risk of 10.0 (only for Windows, for Linux its 7.5), this signifies a "new target" for researchers. Considering that the database itself has been a target for a long time, will all the new products and features attract a large number of bugs going forward? - a delayed trend? - also as we have said it seems that security bugs are mainstream now and also people are aware of data security much more.
Oracle's advisory Oracle Critical Patch Update Advisory - January 2009 is available.