Changes to Behavior of Scanning & Deploying Java Patches Due to CPU & PSU Release

Version 2



    This document is intended to provide information about some changes around detection and installation of Java patches starting in October 2014.




    Starting in October 2014 Java started releasing updates in a new manner. The basic concept is that main critical bulletins are released with an odd number such as Java SE 7 Update 71 (CPU release), and then there is an additional bulletin that contains other bug fixes with an even numbered bulletin such as Java 7-72 (PSU release).


    The full explanation for the changes can be found on Java's site, here:

    Java CPU and PSU Releases Explained


    Shavlik will be offering both the CPU and PSU releases. The CPU releases will be offered with a Security patch type whereas the PSU releases will be offered with a non-security patch type.


    If you were to run a Security Patch scan in Protect you will only be offered the CPU release. (main security bulletin) However, if you run a WUscan (both security & non-security) you will be offered both the CPU & PSU release as missing patches. Per Java - only one version is required to be installed. If you do not use a patch group to filter out the PSU release, this version will end up being installed because it has a higher version number than the CPU release. Keep this in mind before you set up scan and deployment when using both security and non-security patch types.


    Additional Information


    Additionally, we have noticed that most often when the latest Java updates are installed they provide a return code that a reboot is required. Keep in mind that a reboot will often be required.


    We suggest to refer to this document to help alleviate some pain points with updating Java:

    Best Practices For Deploying Java In Your Environment


    Affected Product(s)

    Shavlik Protect 9.x