Explaining PSU and CPU

Question: 

 
What’s the difference between PSU (Patch Set Update) and CPU (Critical Patch Update) bundles? 
 

Answer:

Azul provides two types of quarterly update bundles for supported customers:
  • PSU (Patch Set Update): Includes the latest critical CVE (Common Vulnerabilities and Exposures) security fixes, as well as non-security bug fixes and new features.

  • CPU (Critical Patch Update): Includes only the CVE fixes from the current quarter, applied on top of the previous quarter’s PSU, which has had more time in the field to stabilize.

The CPU is often referred to as a stabilized build — it minimizes risk by avoiding non-security changes, reducing the chance of regressions. For many organizations, this is the best path to apply critical fixes without introducing disruption.

🔍 Real-World Example: July 2022

In July 2022, the PSU builds released for OpenJDK 8, 11, and 17 introduced regressions that prevented their use in production environments. While a respin with corrected PSU builds was eventually released on August 19, CPU users were able to apply all security fixes immediately on July 19 using Azul’s CPU builds — with no regressions.

The timeline below highlights the practical impact:

PSU-CPU-example.png

Figure: The CPU Advantage — July 2022 Example
When regressions in PSU builds delayed production deployment of critical patches for four weeks, CPU builds provided immediate access to all CVE fixes — without introducing instability. CPU users were able to patch against three vulnerabilities (including one rated 7.5 for remote code execution) on July 19, while PSU users had to wait until August 19 for a stable update.
 

As shown above, this four-week window left many relying on PSU builds exposed to high-severity vulnerabilities, including one with a CVSS score of 7.5, without a viable way to patch.

This wasn’t an isolated case — over 30% of PSU builds in the past 3 years have introduced regressions that delayed secure deployment.

🛠️ How Customers Use CPUs

Many customers choose to deploy only CPU builds, prioritizing stability and security while streamlining operations. This approach means:

  • Always getting critical security fixes as soon as they are available

  • Accepting a 3-month delay on new features

  • Minimizing the risk of regression in production

Other teams use a hybrid model:

  1. Deploy the CPU build quickly, after light testing.

  2. Test the PSU more thoroughly — and deploy it later, if needed.

  3. This strategy ensures there’s no disruption from the next CPU release, especially in environments where issues might only surface under specific conditions (e.g., custom apps or unusual load patterns).

✅ Summary

If your priority is minimizing risk while staying fully patched, CPU builds are your best option. They offer a clear, proven path to staying secure — without surprises.


For more info, see:

Add Comment

Comments

0 comments

Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful