VMware uses sustaining releases to provide enhancements and bug fixes to customers. The article describes the patching model available for ESXi 5.x and 6.0 platforms.
Patch release and update release are the two types of sustaining releases for ESXi 5.x and 6.0 hosts.

Release Contents

Both patch and update releases have bulletins that can be used by the vSphere Update Manager users to patch the ESXi host. Patch and update releases also have VIB files and image profiles that can be used by the ESXCLI users to patch the ESXi host. Even though patch and update releases are structured in the same manner, they are different in the following aspects:

• An update release contains more bug fixes than a patch release.
• A patch release only contains high severity fixes whereas an update release contains high and low severity fixes and probably important features and hardware enablements.
• Update release has a rollup bulletin that contains the latest VIBs with all the fixes since the initial release of an ESXi release (ESXi 5.0, ESXi 5.1, or ESXi 5.5 and ESXi 6.0).
• Update release is delivered as an additional install ISO.

Naming Convention

Patch releases have the following version numbering scheme:
ESXi<ABC>-<YYYYMMSSS>
where A is the major version of ESXi, B is the minor version of ESXi, YYYY is the year of release, MM is the month of release, and SSS is a sequence of numbers.
Example: If an ESXi 5.0.0 Patch release is released in October 2013, then the release is named ESXi500-201310001.

Update releases are named based on the ZIP file name in the following manner:
update-from-esxi5.1-5.1_update02
Example: You can update from ESXi 5.1 to ESXi 5.1 Update 2 using the update-from-esxi5.1-5.1_update02 zip.

• Patching ESXi Hosts with Bulletins by Using vSphere Update Manager
  • Bulletins
  • Cumulative Fixes for Bulletins or VIBs
  • Patch Release Bulletins Are Not Cumulative
  • Update Release Rollup Bulletin Is Cumulative
  • Identifying a Fix from an Earlier Release In a Later Release
  • Determine the Order Between Patch and Update Releases
  • Security-Only Bulletins

• Patching ESXi Hosts with VIBs and Image Profiles Using ESXCLI
  • Difference Between Update and Install Operation
  • VIB File
  • Cumulative Fixes for a VIB
  • Security-Only VIBs
  • Image Profiles
  • Image Profiles Are Cumulative
  • Image Profiles In Each Release
  • Image Profile Name Format

Patching ESXi Hosts with Bulletins by Using vSphere Update Manager

vSphere Update Manager enables centralized, automated patch and version management for VMware vSphere and offers support for VMware ESX/ESXi hosts, virtual machines, and virtual appliances. You can upgrade or patch ESXi hosts using the vSphere Update Manager.

Bulletins

A bulletin is the primary entity of a patch and update release. The bulletin was introduced in ESX 4.x as a software container and is still used in ESX 5.x. It logically defines one or more payload files called VIB files. Each VIB corresponds to a system component or driver. Each VIB file is versioned and VUM compares the version information of a VIB with what is installed on a target system to determine applicability.
A bulletin can group dependent VIBs together. Because there are very few dependent VIBs in ESXi 5.x and ESXi 6.0, most bulletins contain a single VIB file.

Note: You can only use vSphere Update Manager to patch ESXi hosts by using bulletins.

All bulletins except the update rollup bulletin have the following version numbering scheme:
ESXi<ABC>-<YYYYMM><T><SS>-<K>G
where A is the major version of ESXi, B is the minor version of ESXi, YYYY is the year of release, MM is the month of release, T is type of release (its value is 2 for a patch release, 4 for an update release, and 1 for security with some exceptions), SS is sequence of numbers, K is the kind of bulletin (its value is B for bug fix in a patch release, U for bug fix in an update release, and S for security fix in patch or update release), and G is a constant.

Cumulative Fixes for Bulletins or VIBs

Every VIB file contains a cumulative set of fixes. So a VIB with a higher version number has fixes that it was built for along with all fixes from earlier versions of that VIB.

Example: The VMware_bootbank_esx-base_5.0.0-3.41.1311175.vib VIB from ESXi 5.0 Update 3 release contains fixes new to the Update 3 release and all fixes included in earlier versions of VMware_bootbank_esx-base_5.0.0.

This rule applies only within a version of ESXi. Because the version of ESXi is part of the VIB version, every ESXi 5.1.0 VIB has a later version than an ESXi 5.0.0 VIB. An ESXi 5.1.0 VIB does not contain cumulative fixes contained in ESXi 5.0.0 VIBs.

Because a bulletin is a container for VIBs, bulletins with equal VIB contents are cumulative as well.

Patch Release Bulletins Are Not Cumulative

If a VIB is not fixed in a release, then a bulletin is not created for that VIB in that release. As a result, in a patch release, patch bulletins are sparse. Applying all bulletins from the latest ESXi patch release does not imply that the system contains all available fixes.

Example: A fix for the e1000 driver was shipped in the ESXi500-201207001 release in bulletin ESXi500-201207406-BG. Because there were no new fixes for the e1000 driver in the ESXi500-201209001 release, bulletin was not created for this. If you apply all bulletins of the ESXi500-201209001 release to an unpatched ESXi 5.0.0 system, the system does not get the e1000 fix from the ESXi500-201207001 release.

This is also applicable for update release bulletins, but update releases have an additional special bulletin called the rollup bulletin.

Note: If you are using image profiles, then changes are cumulative. For more details, see the Image Profiles Are Cumulative section.

Update Release Rollup Bulletin Is Cumulative

A rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi. The rollup bulletin is named after the update release. For example, the rollup bulletin name for the ESXi 5.0.0 Update 3 release is ESXi500-Update03.

Example: Consider the e1000 driver example mentioned in the above section. Even though the ESX 5.0.0 U3 release does not have a specific bulletin that patches the e1000 driver, the ESXi500-Update03 bulletin (the rollup bulletin) includes the latest e1000 VIB which is derived from the last release it was shipped in.

Identifying a Fix from an Earlier Release In a Later Release

In case of a patch release, if a VIB is contained in later release, it has all the fixes of that VIB from earlier releases. Because patch release does not contain the same set of VIBs of earlier releases, the best way to determine the inclusion of a fix is at VIB level of a patch. Whereas, in an update rollup bulletin, if the bulletin or VIB is from a release prior to the update release, then the fix is present in the update rollup bulletin.

Determine the Order Between Patch and Update Releases

You cannot determine the order of the patch and update release from the release name. So instead of comparing release names use the bulletin names as the later released bulletins have later dates. If a bulletin contains a VIB from an earlier release, all the earlier fixes for the VIB are present in this new bulletin.

In case of an update release, compare the release date of the update bulletin with other bulletin names or release dates.

Security-Only Bulletins

The bulletin IDs of security-only bulletins end with an SG suffix. Their VIB payload continues to be cumulative of earlier bug fixes, but they contain only security fixes for the current release.

Starting with ESXi 5.0 Update 1, patch and update releases contain general and security-only bulletins. Security-only bulletins are applicable for new security fixes only. New general bug fixes are not included, but bug fixes from earlier patch or update releases are included.

If non-security bug fix is not present for a VIB, a separate security bulletin is not created in the release.

If there is a non-security bug fix for a VIB, a separate bulletin with a suffix BG or UG is created for the fixed VIB containing both security and non-security fixes. A VIB containing security-only fix has a lower version than the VIB containing security and non-security fixes in the same release.

The purpose of these bulletins or VIBs is to provide customers with the ability to be compliant with security fixes as soon as possible while giving them time to evaluate the impact of the non-security bug fixes.