Patch management for ESXi is very different compared to traditional operating system patches, where incremental updates are made to the base operating system and thus increasing the disk footprint for each patch update. For the ESXi hypervisor, when a patch is applied, the entire ESXi image also known as an Image Profile is replaced. This means that each time you patch or upgrade your ESXi host, you are not adding on top of the original installation size.
As part of the ESXi architecture, there are two independent boot bank partitions that are used to store the ESXi Image Profile. This is primarily used as a fail-safe mechanism for rollback.
Here is a diagram showing what the ESXi boot banks would look like before and after applying a patch (pertains to both updates and upgrades)
Another common question that I see frequently asked is whether ESXi patches are cumulative? The answer is yes, they are cumulative. However, at first glance at the patch downloads on the VMware’s patch website, this may not be obvious.
To help clarify this, it is important to first understand the contents of an ESXi patch download (also known as patch bundle or offline bundle). A patch bundle can contain multiple bulletins and each bulletin will contain either the ESXi Hypervisor OS (esx-base) and/or VMware Tools ISO images (tools-light). On occasion, a patch bundle may also contain driver updates. A bulletin will be categorized as either SG (security) or BG (bug fixes).
An SG bulletin means that ONLY security fixes are included and it excludes any functional bug fixes. The reason for having a security only bulletin is for customers that have a very stringent requirement for fixing known security vulnerabilities in a short time frame that does not allow for vetting of the entire patch release. A BG bulletin contains both the functional bug fixes and security fixes. An example of patch bundle containing all four bulletin categories would be ESXi510-201212001
Lastly, each bulletin is just comprised of VIBs which are cumulative from all previous VIBs. If we take an example of a BG bulletin that was released in July, then it will contain all the cumulative bug fixes and security fixes from Jan to June.
As you can see, with the way the ESXi hypervisor is architected, updates and/or upgrades do not increase the disk footprint like traditional Operating Systems. In addition, VMware also provides a very flexible way of either applying all bug fixes or allowing users to select security only updates based on customer’s security policies and procedures.
Here are some additional articles that may be useful in regards to ESXi patching:
Here is a diagram showing what the ESXi boot banks would look like before and after applying a patch (pertains to both updates and upgrades)
Another common question that I see frequently asked is whether ESXi patches are cumulative? The answer is yes, they are cumulative. However, at first glance at the patch downloads on the VMware’s patch website, this may not be obvious.
An SG bulletin means that ONLY security fixes are included and it excludes any functional bug fixes. The reason for having a security only bulletin is for customers that have a very stringent requirement for fixing known security vulnerabilities in a short time frame that does not allow for vetting of the entire patch release. A BG bulletin contains both the functional bug fixes and security fixes. An example of patch bundle containing all four bulletin categories would be ESXi510-201212001
Lastly, each bulletin is just comprised of VIBs which are cumulative from all previous VIBs. If we take an example of a BG bulletin that was released in July, then it will contain all the cumulative bug fixes and security fixes from Jan to June.
