Question:
What’s the difference between PSU (Patch Set Update) and CPU (Critical Patch Update) bundles?
Answer:
The quarterly PSU (Patch Set Update) includes critical CVE (Common Vulnerability & Exposure) patches plus non-CVE bug fixes and new features. For supported customers, we also produce a quarterly CPU (Critical Patch Update) which includes only the current quarter’s CVE fixes on top of the previous quarter's now stabilized PSU update.
Since the CPU bundles do not have any new features or non-security bug fixes, they require less testing, which is more efficient for keeping a production environment secure.
Many of our customers use only CPUs, streamlining their processes and minimizing the need for testing. In this case, you will always be three months behind in getting new features, but you’ll never be at all behind in getting your critical security fixes. Another typical process is to rapidly deploy the CPU then take time to fully test (and watch for any updates to) the PSU before deploying the PSU in production in time to ensure there are no issues in your environment before the next quarterly update.
An example from 2022 highlights how the availability of CPU builds has material and practical impact on security exposure lengths: In the July 2022 quarterly update, the free OpenJDK 11.0.16 builds (and Zulu CA builds and docker images) that came out on July 19th unintentionally included significant production stability regressions and had to be respun as 11.0.16.1 in mid August to address those regressions. Until 11.0.16.1 was available, there was no stable Zulu CA (or other free OpenJDK) build that addressed the CVEs revealed publicly on July 19. One of those CVEs was a high severity one with a CVSS score of 7.5 (with remote code execution potential). In addition to the 11.0.16 PSU build, Azul had an 11.0.15.0.101 CPU build available immediately on July 19, with fixes for all new CVEs revealed that day (but with no other changes incorporated), and that build did not exhibit any production regressions.
For more info, see:
An example from 2022 highlights how the availability of CPU builds has material and practical impact on security exposure lengths: In the July 2022 quarterly update, the free OpenJDK 11.0.16 builds (and Zulu CA builds and docker images) that came out on July 19th unintentionally included significant production stability regressions and had to be respun as 11.0.16.1 in mid August to address those regressions. Until 11.0.16.1 was available, there was no stable Zulu CA (or other free OpenJDK) build that addressed the CVEs revealed publicly on July 19. One of those CVEs was a high severity one with a CVSS score of 7.5 (with remote code execution potential). In addition to the 11.0.16 PSU build, Azul had an 11.0.15.0.101 CPU build available immediately on July 19, with fixes for all new CVEs revealed that day (but with no other changes incorporated), and that build did not exhibit any production regressions.
For more info, see:
Add Comment
Comments
Article is closed for comments.