That depends on the vulnerability. If it's remote and relevant to what the box does, it's patched ASAP.
I never said anything counter to that. But if you have a server running a database, and it runs nothing else, and it is behind a firewall, there's no sense bringing it down for a security patch that doesn't apply to its function. It the patch is required for database security, then yes.