Patches? Patches? We don’t need no stinkin’ Patches

Posted on


Recently I reviewed some of the patching techniqus around ESXi and vCenter Server.

The question I wanted to know more about was – How are products (vCenter and ESX(i) patched (4.0 and above)?  

What I found was “it depends” J but I remember them this way…

Note – Before I apply ANY patch or update I always check the HCL, check with my hardware vendor, and read the release notes as most patches contain prerequisites.


vCenter Server is simple, I remember it this way “Patches? Patches? We don’t need no stinkin’ Patches…”

ESXi — Can be a bit more complicated…  It’s more like this — “I’d like the pie heated and I don’t want the ice cream on top, I want it on the side, and I’d like strawberry instead of vanilla if you have it, if not then no ice cream just whipped cream but only if it’s real; if it’s out of the can then nothing.”


Here is a bit more depth –

vCenter Server (VC) Windows Edition –

VC 4.x, 5.0 and 5.1 – There are no patches vCenter Server only full updates packages which contain all the content. AKA – Patches are included in the each releases.

VC 5.5 – No patches for VC just updates but there are patches for tcServer and JRE.  These patches will be released on an as needed basis.

It’s pretty simple, if you want to patch your vCenter Server then just install an Update, but do your


ESXi —

First off Patches are not exactly cumulative and depending on how you update ESXi the Build numbers and sub-components can be off.

Trying to simplify this… it’s not a cut and dry method but here is what I found…

In most cases (not all) it seems to come down to two ways of updating your host. Ask yourself this:

1.     Do you want ESXi to report the more accurate Build Number and have all the underlying sub-components (Virt Hardware, Tools, etc) up to date?

2.     OR is it more important to just have a specific Patch installed?


If Yes to “more accurate Build Number” then this is suggested…

Update ESXi to the latest Update, then apply the latest Patch.

This should ensure the sub-components contained within are updated uniformly and the build number should report properly.

Accurate Build Number Example – You are at ESXi 4.1U1, update it to ESXi 4.1U3 first, then Apply Patch 9

The result should yield an ESXi server and subcomponents fully up to date


If Yes to “more important to just have a specific Patch” Simple answer is just apply that patch

However depending on your current level of ESXi the patch may not contain all the updated sub-components.

It will contain the Patches and Security updates documented in its KB or release notes.


Specific Patch Example – You are at ESXi 4.1U1, Just Apply Patch 9

The result should yield an ESXi Server with Patch 9 and the sub-components may not be updated, it depends on the patch

This may also change the build number to reflect an unexpected result, meaning it may not look like the build number for ESXi 4.1U1 or Patch 9, it may be somewhere in between.


Last Monkey Wrench in this mix… Express Patches with ESXi

This is the exception to the statements above and add a couple of new rules…

Express Patches typically fix only a very specific function, and they are typically are NOT cumulative.


Monkey Wrench Example – You are at ESXi 4.1U1 let’s say Express Patch 3 (EP) is the latest patch level.

To fully update ESXi and Sub-components you should update to ESXi 4.1U3 first, apply the Patches and only EP’s just below EP3, then apply EP3

If you only want the EP then just apply EP3


Hopefully this makes sense and after reading this thread I’ll bet you never look at ESXi patching the same way J


One last item here is a great url around build numbers…





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.