The CPU contains 38 security fixes (16 for the database) but if we consider Oracles internal fixing rate (i.e. security bugs that are not individually recognised on the advisory) may actually indicate that could be 123 silently fixed bugs (who knows!).
The bigger worry is that for this CPU 16 bugs are fixed in the database, one is for the client only and 6 are exploitable remotely without a username and password. The highest CVSS score is 10.0 for Windows and 7.5 for other platforms.
The cynical view when Oracle delayed the release of the CPU before Open World to allow DBA's to attend without worrying about applying patches was that there was bad news coming. Well the number of bug fixes is not astronomical but the news is bad, 6 remotely exploitable bugs without authenication and a CVSS of 10.0 is not exactly good news. The pre-release is now issued after Open World with this news.