The only thing that surprised me about the recent [http://www.infoworld.com/article/06/07/13/HNmysqlcurtain_1.html mysql security timeline announcements] was the short timeframe between the announcement and the EOL for some apps. Presumably if someone hasn’t upgraded by now, there might be reasons why upgrading isn’t feasible within a short time frame…. but to address [http://people.planetpostgresql.org/greg/index.php?/archives/66-Security-Show-Me-The-Money..html Greg’s point about getting paid], this is basically the same policy as Oracle’s; from [http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html thier latest security update]: ”Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS) before the implementation of the Lifetime Support Policy. De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available.” And speaking of that update, I have to agree with those who complain about [http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1186913,00.html the confusability of Oracle bug release announcements]… I tried looking through the list of bugs looking for any encoding related sql injection fixes, but couldn’t make heads or tails out of it. Any Oracle experts no if there was any fix like that?