Good article here comparing the Critical Updates fixes between SQL Server and Oracle and some of the mis-information peddled in the RDBMS world. Highlights include zero SQL Server critical update vulnerabilities since September 2004, which I think is pretty impressive!
http://blogs.technet.com/dataplatforminsider/archive/2008/04/14/unbreakable.aspx