Home > Blogs > VMware vSphere Blog

Understanding ESXi Patches – Size & Patch Bundles

Patch management for ESXi is very different compared to traditional operating system patches, where incremental updates are made to the base operating system and thus increasing the disk footprint for each patch update. For the ESXi hypervisor, when a patch is applied, the entire ESXi image also known as an Image Profile is replaced. This means that each time you patch or upgrade your ESXi host, you are not adding on top of the original installation size.

As part of the ESXi architecture, there are two independent boot bank partitions that are used to store the ESXi Image Profile. This is primarily used as a fail-safe mechanism for rollback.

Here is a diagram showing what the ESXi boot banks would look like before and after applying a patch (pertains to both updates and upgrades)

Another common question that I see frequently asked is whether ESXi patches are cumulative? The answer is yes, they are cumulative. However, at first glance at the patch downloads on the VMware’s patch website, this may not be obvious.

To help clarify this, it is important to first understand the contents of an ESXi patch download (also known as patch bundle or offline bundle). A patch bundle can contain multiple bulletins and each bulletin will contain either the ESXi Hypervisor OS (esx-base) and/or VMware Tools ISO images (tools-light). On occasion, a patch bundle may also contain driver updates. A bulletin will be categorized as either SG (security) or BG (bug fixes).

An SG bulletin means that ONLY security fixes are included and it excludes any functional bug fixes. The reason for having a security only bulletin is for customers that have a very stringent requirement for fixing known security vulnerabilities in a short time frame that does not allow for vetting of the entire patch release. A BG bulletin contains both the functional bug fixes and security fixes. An example of patch bundle containing all four bulletin categories would be ESXi510-201212001

Lastly, each bulletin is just comprised of VIBs which are cumulative from all previous VIBs. If we take an example of a BG bulletin that was released in July, then it will contain all the cumulative bug fixes and security fixes from Jan to June.

As you can see, with the way the ESXi hypervisor is architected, updates and/or upgrades do not increase the disk footprint like traditional Operating Systems. In addition, VMware also provides a very flexible way of either applying all bug fixes or allowing users to select  security only updates based on customer’s security policies and procedures.

Here are some additional articles that may be useful in regards to ESXi patching:

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

13 thoughts on “Understanding ESXi Patches – Size & Patch Bundles

  1. Forbes Guthrie

    I’m be pedantic here, but …
    From my understanding the second diagram is a little misleading. The ESXi 5.1 image is pushed into the empty boot bank and then the boot loader is instructed to default to the new boot bank (#2). The 5.0 boot bank stays where it is, but is the fallback option.

  2. Ricardo Londono

    I had always believed that patches were cumulative but it is very nice to understand a little bit more of the details. Thank you for the clear write up.

  3. premium themes

    it seems like ages that i heve been searching for a completesite like this one? i am glad i found it,some great information here, i am new and just starting out, anyway thanks for some great tips..

  4. Cliff Klein

    VMware just released ESXi500-201305001 sized at 311MB. The prior patch released in March ESXi500-201303001 is listed as 614MB. I planned on applying the bigger March patch this weekend. If I apply the latest patch only listed at 311MB will it contain everything from the prior patch listed at 614MB? Am I missing something if the patches are cumulative? Thanks. Great article.

    1. Chris Z


      201305001 contains tools and base bugfixes, as well as security fixes, while the latter only has the base bugfixes.

      I think you need to apply the March patch to get your security patches up to date, then apply the May patch to get the base fixes applied.

  5. intercom systems for home

    It is through the VPN that you’re able to obtain a temporary American IP address and
    stream movies from their site even though outside The
    US. Homeowners can choose to make each floor of their home, a garage and other structures a different zone.
    In simpler terms it means that the system includes
    speakers which can be placed strategically throughout the theater room and then a subwoofer which gives the bass effect.


Leave a Reply

Your email address will not be published. Required fields are marked *