VMware Cloud Community
pegasus20111014
Contributor
Contributor
‎12-16-2014 09:05 AM

Questions about ESXi 5 patching best practices

We are currently on version 5.1.0 (Build 799733) of vSphere (vCenter / ESXi).  We have a mandate now that we are to install all security patches for all operating systems in our datacenter.  Up until this point we have mainly been updating to the different major releases and have been running stable with version 5.1 for over a year.  The next planned update was to be after vSphere 6 was released.  We have a fairly large VMware environment (approx 80 ESXi hosts and over 1000 VMs)

I guess my question is, is it ok to just install all security patches released for version 5.1 up to this point (and not bug fixes, etc, that do not really affect us)?  We would prefer not to do an upgrade to the latest release 5.5 at this point since we were planning for our next major upgrade to vSphere 6 when that is released sometime next year.  We have been running stable without any real issues under this version of 5.1 and would rather not rock the boat too much until we upgrade to the next major release (vSphere 6).  If this is not a best practice then would updating to 5.1 Update 3 include all past security patches for version 5.1?  I would tend to think that if we do a more major update such as installing Update 3 for 5.1, which includes bug fixes, feature enhancements, etc, then we might as well just update to version 5.5.

Also, If just applying security patches for 5.1, would this affect the build number of ESXi and possibly require an update to our vCenter servers?

Any insight into this would be appreciated.  Thanks

0 Kudos
2 Replies
corvettefisher
Enthusiast
Enthusiast
‎12-16-2014 11:39 AM

For applying only patches that pertain to security level, you will want to use vum and a custom baseline:

1.Go to Home>Solutions and Applications>Update Manager>Baselings and groups

2. Right click in Baslines window

3. Name it $whatever$ and ensure that Host Patch is sleceted in baseline type

4. Type dynamic

in Criteria you will want to have it looking something to the attached photo.

Exclude anything you don't want(note the screenshot shows all security, even low to moderate) and finish out the wizard. From there on it is just attaching the baseline to the hosts and clusters needed.

Personally I would say apply 5.1 U3 unless there is strong reasoning not to, there are multiple performance tweaks that can help, as well as other optimizations done to vCenter and the Web Client.

pegasus20111014
Contributor
Contributor
‎12-16-2014 11:58 AM

Thanks.  We were hoping to just get by with installing security patches for now until vSphere 6 is released, since at the moment our environment has been stable and its quite an undertaking to perform major updates being a large VMware environment in a healthcare organization.  Could there be any potential issues in just applying security patches for now instead of all patches such as bug fixes and enhancements?  I guess the concern is causing issues as a result of an update.

If we go the route of just applying Update 3, how much less involved would it be to just apply Update 3 to our 5.1 servers as opposed to updating them to the latest release of 5.5?  If it's basically the same amount of effort, then maybe it would be more beneficial to just update to 5.5

0 Kudos