On a white paper entitled (Which database is more secure? Oracle vs. Microsoft) published on November 21, 2006, security researcher David Litchfield of NGS Software compare the security holes targeting two RDBMSs: Oracle (v8, v9 and v10) and Microsoft SQL Server (7, 2000 and 2005). The comparison based on externally reported flows.
The report shows that Microsoft has patched 59 security hole in its SQL Server 7, 2000, and 2005 during the period from 2000 to 2006, while Oracle has patched 233 security hole in its Oracle 8, 0 and 10 on the same period.
You can download and read the details in the whitepaper, or in NGS Software site