The nice part about Microsoft SQL Server Express is that, unlike Oracle XE, you can count on getting updates. There hasn’t been an update to Oracle XE since, well never. This is despite the fact that it has a gazillion well known security vulnerabilities that have been addressed in the paid versions of Oracle database.
The easiest way to get Microsoft SQL Server Express update is to use Microsoft Update service. You can see the list of issues addressed in this article List of the bugs that are fixed in SQL Server 2005 Service Pack 3
Just like Microsoft, we at IBM also update the free DB2 Express-C on periodic basis. As a matter of fact, we recently released DB2 Express-C 9.5.2. We do, however use a different approach than Microsoft does. We do not release Service Packs for the free DB2 Express-C product. Instead we issue a complete refresh to the new level. Notice that this does not mean that you have to uninstall the older version to install the new level. It is much simpler than that, our new level of DB2 Express-C will automatically update the older level. You can optionally create a completely separate installation as well but most people find this unnecessary and frankly, confusing. Our philosophy is that simple always better. Another key difference is that unlike SQL Server Express which is only available as a free product with no support and a 4GB database limit, DB2 Express-C has no limits on the size of the database and does offer low-cost optional support and extra features. Those that purchase this optional support do get regular Fix Packs.