Home > Blogs > VMware vSphere Blog


Are ESXi Patches Cumulative

Updated based on feedback.  Thanks for the comments!

I’d like to revisit the question “are ESXi patches cumulative”?  This time I hope to hammer home the point with an example.

In short, the answer is yes, the ESXi patch bundles are cumulative.  However, when applying patches from the command line using the ESXCLI command you do need to be careful to ensure you update the complete image profile and not just select VIBs.

There are two ways to update VIBs using the ESCLI command.  You can use either the “esxcli software vib update … command or the “esxcli software profile update …” command.  The “vib” namespace is typically used with the optional “-n <vib name>” parameter in order to update individual VIBs, where the “profile” namespace is typically used to update the host’s image profile, which may include multiple VIB updates.  The key is when applying patches use the “profile” namespace to update the complete image profile opposed to using the “vib” namespace to update selected VIBs.

Before patching hosts using the ESXCLI command make sure you understand the distinction between updating individual VIBs vs. updating the image profile.

ESXi software is packaged as vSphere Installation Bundles (VIBs).   The collection of all the VIBs running on a host is referred to as the “Image Profile”.

Patch are essentially updates to VIBs and are distributed as a ZIP archive which is referred to as a patch bundle.  These patch bundles can be loaded into Update Manager, or they can be copied to the host and used with the ESXCLI command.  It’s important to note that along with the updated VIBs the patch bundles also include the latest version of all the other VIBs contained in the image profile.  When you download a bundle you aren’t just downloading the updates, you’re getting the complete ESXi software image.

As I mentioned, there are two ways you can update your hosts using the ESXCLI command:  (1) you can update individual VIBs, or (2) you can update the complete image profile.  It is recommended that you always update the entire image profile as this will:

  1. Eliminate the need to manually track the individual VIBs that are updated with each patch.
  2. Avoid the need to run multiple update commands in order to install all the updated VIBs.
  3. Help to ensure you don’t inadvertently skip any VIBs from a previous patch.

Let me demonstrate with an example using the first three patches for ESXi 5.1.  I’ll refer to these patches as Patch1, Patch2, and Patch3.

  • Patch1 – ESXi510-201210001.zip – updates the “esx-base” VIB (build number 838463).
  • Patch2 – ESXi510-201212001.zip – updates the “esx-base” and “tools-light” VIBs (build number 914609).
  • Patch3 – ESXi510-201303001.zip – updates the “esx-base” VIB (build number 1021289).

I start with a fresh installation of ESXi 5.1.  Before I apply any patches, lets look at the VIB versions for the “esx-base” and “tools-light” VIBs (as these are the VIBs updated in the three patches).  We see that everything is running with the GA build number 799733, so we confirm that the host is not patched:

Next, let’s download Patch3.  As patches are cumulative, downloading this one patch gives me all the updates from Patch1 and Patch2 as well.

After reading the Patch3 release notes I see that it provides updates to the “esx-base” VIB.  So I run the “esxcli software vib update -d <patch archive> -n esx-base” command.  Note that in this example, since I am specifying the specific VIB to update that the “tools-light” VIB will not get updated.

After the command completes I reboot the host.

At this point my host now has the latest version of the “esx-base” VIB, which includes the updates for this VIB that were made in Patch1 and Patch2 as well.  However, the host is still running the old (non-patched) version of  “tools-light”.  This can be confirmed by looking at the build numbers for the individual VIBs:

At this point my host is only half-patched.  In order to update the “tools-light” VIB I need to re-run the “esxcli software vib update …” command a second time and specify the “tools-light” VIB.

While manually updating individual VIBs may not seem like a big deal, consider how messy this gets when I have five or six VIBs updated across four or five different patches?  How do I keep track of this and what is the risk that I might accidentally skip one of the VIBs?

So in summary, in this first example I showed how even though Patch3 is cumulative and includes all the updates from the Patch1 and Patch2, it is possible depending on the syntax you use with the ESXCLI command to get into a situation where only some of the VIBs are applied to the host.

Now lets look at the second example, here I’ll work at the image profile level opposed to the VIB level to show how you can apply all the updates with a single command.  Where the “esxcli software vib update -d <patch archive> -n <vib name>” command replaced individual VIBs, the “esxcli software profile update -d <patch archive>” command will update all the VIBs in the image profile with any updated versions contained in the patch archive.

Note: you if you run the “esxcli software vib update -d <patch archive>” command without the “-n” parameter to specify a specific VIB, the command behaves much like the “esxcli software profile update -d <patch archive>” command in that all the VIBs will be updated.

Before you update the image profile you need to determine the name of the image profiles available in the patch bundle.  We use the “esxcli software sources profile list -d <patch bundle>” command to do this.  In this case we see there are two image profiles in the patch archive; “standard” and “no-tools”.

With the name of the image profile (I’ll use the standard profile) I can now update my host by running the  “esxcli software profile update -d <patch archive> -p <image profile>” command:

Here we see that this time both the “esx-base” and “tools-light” VIBs were replaced.  Notice that the tools-light VIB has the build number from Patch2 where the esx-base vib has the build number from Patch3.

In this second example I showed how patching the image profile ensures that all the updates get applied.  This eliminates the need to manually track VIBs updates across patches in order to ensure all the updates get applied.

So in summary:

  1. ESXi patches are cumulative!  Each patch bundle (.zip archive) includes all the updates from prior patches.
  2. When patching from the command line, use the “esxcli software profile update -d <patch archive> -p <image profile>” command.  This will update the full image profile by replacing all outdated VIBs on the host with the most recent version contained in the patch (even if the update is from a from a prior patch).
  3. Avoid using the “esxcli software vib update -d <patch archive> -n <vib name>” command as the “-n” parameter will only update the specific VIBs, which could put you in a situation where some updates may get missed.

 

17 thoughts on “Are ESXi Patches Cumulative

  1. Steve Ballmer

    If Patch 2 was the last patch released and it includes updates to the esx-base and tools can we then use the “esxcli software vib update”?

    Reply
    1. Kyle GleedKyle Gleed Post author

      Yes, assuming you update both VIBs. The point I’m trying to make is that the patch bundle that you download is cumulative in that it contains all the fixes from any prior patches. However, in order to have all the updates applied to your host you need to make sure all the updated VIBs get installed.

      Thanks for the comment.

      Reply
  2. Trevor Horsfall

    Isn’t you example a little bit misleading?

    You use the command ‘esxcli software vib update -n esx_base …’ as your example, which specifically directs the installer to only apply the updates contained in the ‘esx_base’ VIB. Surely omitting the ‘-n esx_base’ parameter would allow the installer to update all of the (cumulative) VIBs contained in the zip file, wouldn’t it? (Reference: http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vcli.ref.doc_50%2Fesxcli_software.html)

    The file sizes available from the patch portal also don’t suggest that they are cumulative. i.e. How can a 300MB patch contain the cumulative set of fixes from the 600MB patch that came before it?

    On top of that, how does a mega-patch like ESXi 5.1 Update 1 interplay with the supposedly “cumulative” nature of these patches? If I don’t apply Update 1, then I apply the next available esx_base patch, do I magically get everything that was included in Update 1? The file size suggests that I don’t.

    BTW – You mixed up your patch names. Patch 2 and Patch 3 in your example are the same file.

    In summary, I think the answer in the top line of the 2nd paragraph of your blog should be “no, but sometimes, maybe”. It definitely isn’t a clear-cut “yes”.

    Reply
    1. Kyle GleedKyle Gleed Post author

      Hi Trevor, thanks for taking the time to provide feedback. Based on your feedback I updated the blog, hopefully for the better.

      To your questions:

      1. Yes, running the “esxcli software vib update” command w/out specifying which VIB to update will update all the VIBs. Good catch.

      2. The reason why some patches are larger than other patches has to do with the fact that we provide separate image profiles for “security only” fixes vs. “all” bug fixes. Because the security only image profiles don’t always include all the bug fixes we need to maintain multiple copies of some VIBs in the patch bundle. Because a patch bundle can have copies of both the un-patched as well as patched versions of some VIBs the size of the patches can vary.

      3. The difference between a patch and an “Update releases” (what you call mega-patch) is more about the type of fixes included and not the cumulative nature of the updates. Patches focus on high priority fixes where update releases, in addition to including the high priority fixes, often include less critical updates and minor enhancements. For example, a typo in the UI would not warrant a patch, but would be fixed in the next update release.

      4. I fixed the patch names. Thanks for pointing that out.

      -Kyle

      Reply
  3. Totie Bash

    I normally use “esxcli software vib install -d ” to install vib zip patches. However another article told me that I should use “esxcli software vib update -d “. Now, reading your article tells me that I should use “esxcli software profile update”. Grrrr!!! do you know the difference?

    Reply
    1. Andrew Keller

      Same here. I’ve been using “esxcli software vib install -d”. What is the difference between “install” and “update”?

      Reply
      1. Steve Ballmer

        The install switch will remove any custom drivers installed. The update switch would keep them and just update the needed parts

        Reply
  4. Andreas Peetz

    Thanks Kyle – the question covered here is definitely the #1 FAQ when it comes to ESXi patching. A while ago I already tried to answer it on my blog in a post that had almost the same title: “Are ESXi 5.x patches cumulative?” (see http://www.v-front.de/2012/11/are-esxi-5x-patches-cumulative.html).

    As an outcome of this work I also maintain an online spreadsheet that lists all VIBs with version number for all the patch bundles that were published for ESXi 5.0, 5.1 and 5.5. This is also a very nice way to check what is included in a bundle and was updated compared to the previous one. Check it out at http://vibmatrix.v-front.de

    – Andreas

    Reply
  5. Pingback: Patching a Standalone ESXi Host

  6. James

    Hi,

    Thanks for the info. on this, very helpful.
    I have a quick question regarding patching Vendor Customized builds – should this be done using only the most recent Customized build (using the esxcli software profile update -d -p ” command), or can I use the most recent VMware patch release (also using the esxcli software profile update -d -p ” command)?

    I now know this approach (ie esxcli software profile update -d -p ” ) will only update older vibs, not install new, so how can I confirm the newer VMware build will work correctly with the older HP specific drivers/versions?

    Reply
  7. synack2

    Thank you very much for this. I was completely confused by the patch list on VMWare’s site. They give you the KB’s for each update, but don’t tell you it includes the rest. Very well written and save me a ton of time.

    Reply
  8. Pingback: Patching ESXi 5 Free Version | The Bobby Blog

  9. Pingback: Howto Create an ESXi ISO that contains all Patches | Virten.net

  10. LTC

    I know this question is a little off topic, but has come up while looking for the current update. Our base install of ESXi was using a Dell image. This image was used since it included the drivers for the internal raid controller. Would I need to use the Dell updates for Esxi or would I be safe to use the ones available directly from Vmware. Any recommendations for how to approach updating if Dell images are required? Thanks

    Reply
  11. jmp

    Hi there,

    Many people recommends to simply use:

    esxcli software vib update -d =”PATH_TO_THE_PATCH.ZIP”

    Is that correct ? would that be cumulative and apply the whole set ? also, I noticed that does not actually outputs anything unless you do “install” in terms of update. See this link, maybe you could provide some support there:

    https://communities.vmware.com/thread/502336

    thanks in advance

    Reply
  12. Pingback: The Difference Between An ESXi Patch, Express Patch, and Update | port1352

Leave a Reply

Your email address will not be published. Required fields are marked *


*