Some of this paper's info will surely be cherry-picked by RedHat in the months ahead...

Here's an interesting reply from David Litchfield responding to his critics
----------------
-------- Original Message --------
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Date: Wed, 22 Nov 2006 10:57:27 -0000
From: David Litchfield
To: Matthew Conover , ,
References:

Hi Matt,

>Given that NGS Software participated in Microsoft's Security
>Development Lifecycle [1] and your paper is already being referenced by
>Microsoft employees [2], the following question should be addressed to
>ensure the comparison is fair:
>Did NGS Software find any bugs in a version of SQL Server mentioned in
>the paper (7, 2005, and 2005) during a private security audit which
>were disclosed to Microsoft and fixed without being mentioned in a
>Microsoft security bulletin?

No. Additionally, if I was to find a bug in released code today Microsoft would fix it as usual and a public announcement would be made. It is imperative for both Microsoft and NGSSoftware that NGSSoftware is seen to be independent and not "in the pocket" of Microsoft. Since working with Microsoft we have been publicly credited in many Microsoft Bulletins - here's the list for 2006 alone:

http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-mar.mspx
http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx

The bottom line is that Oracle really is just more buggy.
Cheers,
David