Patch management for ESXi is very different compared to traditional operating system patches, where incremental updates are made to the base operating system and thus increasing the disk footprint for each patch update. For the ESXi hypervisor, when a patch is applied, the entire ESXi image also known as an Image Profile is replaced. This means that each time you patch or upgrade your ESXi host, you are not adding on top of the original installation size.

As part of the ESXi architecture, there are two independent boot bank partitions that are used to store the ESXi Image Profile. This is primarily used as a fail-safe mechanism for rollback.

Here is a diagram showing what the ESXi boot banks would look like before and after applying a patch (pertains to both updates and upgrades)

Another common question that I see frequently asked is whether ESXi patches are cumulative? The answer is yes, they are cumulative. However, at first glance at the patch downloads on the VMware’s patch website, this may not be obvious.

To help clarify this, it is important to first understand the contents of an ESXi patch download (also known as patch bundle or offline bundle). A patch bundle can contain multiple bulletins and each bulletin will contain either the ESXi Hypervisor OS (esx-base) and/or VMware Tools ISO images (tools-light). On occasion, a patch bundle may also contain driver updates. A bulletin will be categorized as either SG (security) or BG (bug fixes).

An SG bulletin means that ONLY security fixes are included and it excludes any functional bug fixes. The reason for having a security only bulletin is for customers that have a very stringent requirement for fixing known security vulnerabilities in a short time frame that does not allow for vetting of the entire patch release. A BG bulletin contains both the functional bug fixes and security fixes. An example of patch bundle containing all four bulletin categories would be ESXi510-201212001

Lastly, each bulletin is just comprised of VIBs which are cumulative from all previous VIBs. If we take an example of a BG bulletin that was released in July, then it will contain all the cumulative bug fixes and security fixes from Jan to June.

As you can see, with the way the ESXi hypervisor is architected, updates and/or upgrades do not increase the disk footprint like traditional Operating Systems. In addition, VMware also provides a very flexible way of either applying all bug fixes or allowing users to select  security only updates based on customer’s security policies and procedures.

Here are some additional articles that may be useful in regards to ESXi patching:

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

About the Author

William Lam

William Lam is currently a Staff Solutions Architect in the VMware Cloud on AWS team within the Cloud Platform Business Unit (CPBU) at VMware. He primarily focus on Automation, Integration and Operation of our Software Defined Datacenter (SDDC). One of his core responsibilities is driving VMC’s Customer[0] initiative and help provide early feedback on the usability, design and architecture of new VMC features and capabilities. He works closely with Engineering & Product Management on developing new ideas and integrations for VMC. Lastly, through customer interactions and feedback he continues to help champion their challenges and needs to help further improve our products and services.