As luck would have it we run 9.2.0.4 on Windows servers for which there is no patch!
We have to patch to 9.2.0.5 but as the systems are closed and validated systems there'll be much revalidation and weeping and gnashing of teeth.
So ... so that I can convince management - can anyone give me some outline of the security risk if left unpatched? There's no real detail on Metalink - just a strong advisory statement to apply the patches. I know what the MD will say: "Can we risk it?" and without some detail on the risk I can't advise him.