Product Announcements

Are ESXi Patches Cumulative

Updated based on feedback.  Thanks for the comments!

I’d like to revisit the question “are ESXi patches cumulative”?  This time I hope to hammer home the point with an example.

In short, the answer is yes, the ESXi patch bundles are cumulative.  However, when applying patches from the command line using the ESXCLI command you do need to be careful to ensure you update the complete image profile and not just select VIBs.

There are two ways to update VIBs using the ESCLI command.  You can use either the “esxcli software vib update … command or the “esxcli software profile update …” command.  The “vib” namespace is typically used with the optional “-n <vib name>” parameter in order to update individual VIBs, where the “profile” namespace is typically used to update the host’s image profile, which may include multiple VIB updates.  The key is when applying patches use the “profile” namespace to update the complete image profile opposed to using the “vib” namespace to update selected VIBs.

Before patching hosts using the ESXCLI command make sure you understand the distinction between updating individual VIBs vs. updating the image profile.

ESXi software is packaged as vSphere Installation Bundles (VIBs).   The collection of all the VIBs running on a host is referred to as the “Image Profile”.

Patch are essentially updates to VIBs and are distributed as a ZIP archive which is referred to as a patch bundle.  These patch bundles can be loaded into Update Manager, or they can be copied to the host and used with the ESXCLI command.  It’s important to note that along with the updated VIBs the patch bundles also include the latest version of all the other VIBs contained in the image profile.  When you download a bundle you aren’t just downloading the updates, you’re getting the complete ESXi software image.

As I mentioned, there are two ways you can update your hosts using the ESXCLI command:  (1) you can update individual VIBs, or (2) you can update the complete image profile.  It is recommended that you always update the entire image profile as this will:

  1. Eliminate the need to manually track the individual VIBs that are updated with each patch.
  2. Avoid the need to run multiple update commands in order to install all the updated VIBs.
  3. Help to ensure you don’t inadvertently skip any VIBs from a previous patch.

Let me demonstrate with an example using the first three patches for ESXi 5.1.  I’ll refer to these patches as Patch1, Patch2, and Patch3.

  • Patch1 – – updates the “esx-base” VIB (build number 838463).
  • Patch2 – – updates the “esx-base” and “tools-light” VIBs (build number 914609).
  • Patch3 – – updates the “esx-base” VIB (build number 1021289).

I start with a fresh installation of ESXi 5.1.  Before I apply any patches, lets look at the VIB versions for the “esx-base” and “tools-light” VIBs (as these are the VIBs updated in the three patches).  We see that everything is running with the GA build number 799733, so we confirm that the host is not patched:

Next, let’s download Patch3.  As patches are cumulative, downloading this one patch gives me all the updates from Patch1 and Patch2 as well.

After reading the Patch3 release notes I see that it provides updates to the “esx-base” VIB.  So I run the “esxcli software vib update -d <patch archive> -n esx-base” command.  Note that in this example, since I am specifying the specific VIB to update that the “tools-light” VIB will not get updated.

After the command completes I reboot the host.

At this point my host now has the latest version of the “esx-base” VIB, which includes the updates for this VIB that were made in Patch1 and Patch2 as well.  However, the host is still running the old (non-patched) version of  “tools-light”.  This can be confirmed by looking at the build numbers for the individual VIBs:

At this point my host is only half-patched.  In order to update the “tools-light” VIB I need to re-run the “esxcli software vib update …” command a second time and specify the “tools-light” VIB.

While manually updating individual VIBs may not seem like a big deal, consider how messy this gets when I have five or six VIBs updated across four or five different patches?  How do I keep track of this and what is the risk that I might accidentally skip one of the VIBs?

So in summary, in this first example I showed how even though Patch3 is cumulative and includes all the updates from the Patch1 and Patch2, it is possible depending on the syntax you use with the ESXCLI command to get into a situation where only some of the VIBs are applied to the host.

Now lets look at the second example, here I’ll work at the image profile level opposed to the VIB level to show how you can apply all the updates with a single command.  Where the “esxcli software vib update -d <patch archive> -n <vib name>” command replaced individual VIBs, the “esxcli software profile update -d <patch archive>” command will update all the VIBs in the image profile with any updated versions contained in the patch archive.

Note: you if you run the “esxcli software vib update -d <patch archive>” command without the “-n” parameter to specify a specific VIB, the command behaves much like the “esxcli software profile update -d <patch archive>” command in that all the VIBs will be updated.

Before you update the image profile you need to determine the name of the image profiles available in the patch bundle.  We use the “esxcli software sources profile list -d <patch bundle>” command to do this.  In this case we see there are two image profiles in the patch archive; “standard” and “no-tools”.

With the name of the image profile (I’ll use the standard profile) I can now update my host by running the  “esxcli software profile update -d <patch archive> -p <image profile>” command:

Here we see that this time both the “esx-base” and “tools-light” VIBs were replaced.  Notice that the tools-light VIB has the build number from Patch2 where the esx-base vib has the build number from Patch3.

In this second example I showed how patching the image profile ensures that all the updates get applied.  This eliminates the need to manually track VIBs updates across patches in order to ensure all the updates get applied.

So in summary:

  1. ESXi patches are cumulative!  Each patch bundle (.zip archive) includes all the updates from prior patches.
  2. When patching from the command line, use the “esxcli software profile update -d <patch archive> -p <image profile>” command.  This will update the full image profile by replacing all outdated VIBs on the host with the most recent version contained in the patch (even if the update is from a from a prior patch).
  3. Avoid using the “esxcli software vib update -d <patch archive> -n <vib name>” command as the “-n” parameter will only update the specific VIBs, which could put you in a situation where some updates may get missed.