Now that PostgreSQL is becoming the database of choice for independent software vendors, we're developing a new problem: software vendors do not apply updates. Within the last month, we've had the exact same conversation with four different ISV customers we have:
Customer: we have an instance of data corruption on one of our client's machines. detailed description follows
pgExperts: yes, that sounds like data corruption. What version of PostgreSQL are you running on that machine?
pgExperts: 8.4.1 is missing 2 years of patch updates, including fixes for several data corruption issues. You should have updated to 8.4.11.
Customer: so can you fix it?
pgExperts: you need to apply the update to the current PostgreSQL patch version first.
Customer: we can't do that. Can you fix it?
pgExperts: not for a reasonable cost, no.
It seems that many ISVs regularly deploy databases where they have neither mechanism nor regular practice of applying updates and patches. This could be from a practice of avoiding bad patches (like those from certain major database and OS vendors), poor QA and testing, lack of remote access, inability to schedule downtimes, or some other issue. The only strange thing is the level of resistance ISVs have to the idea of applying updates, as if they'd never heard of it before. Regardless, the result is the same: the user's data is lost/corrupt/hacked, and PostgreSQL will be blamed.
I doubt we're the only middleware software provider to encounter this. My question is, what can we do to educate vendors about the need to apply updates regularly, promptly, and throughout their customer base?