Check the following commands.

To determine the patches or updates applied on the ESX host:

1. Log in to the ESX service console.
2. At the command prompt, run the command:
   
   #esxupdate query
   Lines in the output indicate the names and of patches that might have been applied after the original installation. Typical output is similar to:
   
   ----Bulletin ID---- -----Installed----- -------------Summary-------------
   ESX400-200906401-BG 2009-07-08T18:02:49 Updates VMX
   ESX400-200906412-BG 2009-07-08T18:02:49 Updates esxupdate
   ESX400-200906404-BG 2009-07-08T18:02:49 Updates CIM

To view the build numbers of RPMs in a specific bulletin contained in a patch bundle after it is installed.

1. Log in to the ESX Server service console.
   
   At the command prompt, type:
   
   # esxupdate info -b bulletinname
   
   Where bulletinname represents the name of the bulletin you are reviewing, such as ESX400-200906413-BG.

To determine the patches or updates applied on the ESXi host:

1. Log in locally to the ESXi host.
2. At the command prompt, run the command:
   
   #esxcli software vib list

To view the build numbers of RPMs and VIB details contained in a patch bundle before it is installed:

1. Download the patch bundle zip files as described in the patch bundle installation instructions.
2. Before installing the patch, change to the directory that you use as your esxupdate repository. For example, if your repository is located at /var/updates, type:
   
   #cd /var/updates
3. At the command prompt, type:
   
   #esxupdate --bundle patchbundlename.zip info
   
   Where patchbundlename represents the name of patch bundle.

Once you have the output from the commands you could compare the same with the list you have. Hope this helps.

Thanks,
Avinash

> How can I tell if a hypervisor is patched with certain VMware patches (I've pulled a list of most recent ones from VMware security bulletin)?

Assuming you know what the ESXi host original version and build number was, probably the easiest way is to look at the build number for host from vCenter without using anything else other than websites. ESXi patches are cumulative and the build number should be the easiest way to determine the "current patch level". Selecting the ESXi host in vCenter and looking at the version and build number in the grey banner is where you will find that (if you weren't aware of that already).

If you are lucky you might be able to find that build number on the 1014508 KB article (linked below), again you might get lucky and find that build number on the Security patches KB but its perhaps not the most comprehensive list of patches.

Correlating vCenter Server and ESXi/ESX host build numbers to update levels (1014508)

http://kb.vmware.com/kb/1014508

VMware Security Patches Upgrade Guide (2019941)

http://kb.vmware.com/kb/2019941

However the above security Patches only covers the.....Security patches......and omits the bug fix patches in some cases.....so the below page is probably the most comprehensive list. Alternatively you can do a Google search for the build number you found and directly find the KB article for that patch which is also linked off the below Patches page. Just do a search for the particular version you are using.

Product Patches

https://my.vmware.com/group/vmware/patch#search

While you are there click on the "Get Net Patch Alerts" link and subscribe to patch notifications.

The other place to find information is in the Release notes for Update releases (rollup of many patches and some feature enhancements). Check out the "Patches Contained in this Release" on the specific Release notes page. e.g. ESXi 5.1 Update 1 Release Notes

You can find the specific release notes for the version you are using on the vSphere doco page just select your specific version on the drop down. Its also worth checking out the Upgrade processing information on the Release notes and within the Upgrade Guide on that same page.

VMware vSphere Documentation

Keep in mind when looking at Patch KB articles there are two types.

• Patch Release (a rollup of all the patches in that release) e.g. VMware KB: VMware ESXi 5.0, Patch Release ESXi500-201303001
• With one or many patches within it e.g. VMware KB: VMware ESXi 5.0, Patch ESXi500-201303401-BG: Updates esx-base

But its easier and more efficient alternatives would be:

• Setup a baseline in VUM (that's what it’s for after all). Attach it to the ESXi hosts/clusters and do a scan the scan then look at the results....Assuming all the latest patches are downloaded from the repositories (check out the VUM configuration) the best approach would be to attach the two dynamic baselines (Critical and Non-Critical Host Patches) will all the patches but if that creates too much "noise" you can setup your own baseline or baseline group to suit your objective. After you are done just detach that baseline and no hard is done. Or use it to Remediate the differences. VMware KB: Updating an ESX host using vCenter Update Manager
• Use the PowerCLI Command Get-VMHostPatch commandlet   http://rvdnieuwendijk.com/2011/11/24/check-your-vsphere-cluster-hosts-patch-level-with-powercli/#mor...

> Can patches be applied outside VUM?

Yep a few ways

• via the command line Quickest Way to Patch an ESX/ESXi Using the Command-line | VMware vSphere Blog - VMware Blogs
• Creating a custom ISO using the PowerCLI Image Building commandlets then installing/upgrading manually by booting from the ISO Using the vSphere ESXi Image Builder CLI | VMware vSphere Blog - VMware Blogs or How to use vSphere Image Builder to create a custom ISO - VirtualizeTips | VirtualizeTips
• Upgrades are usually more full on that updates or patches but a lot of the information here will still apply http://kb.vmware.com/kb/2032757
• If the above upgrade page is too broad then at the bottom of the Patch Release KB article I mentioned above you will find a "Patch Download and Installation" section which explains and provide resources for the options.