Changes to Behavior of Scanning & Deploying Java Patches Due to CPU & PSU Release

Version 2

    Purpose

     

    This document is intended to provide information about some changes around detection and installation of Java patches starting in October 2014.

     

    Description

     

    Starting in October 2014 Java started releasing updates in a new manner. The basic concept is that main critical bulletins are released with an odd number such as Java SE 7 Update 71 (CPU release), and then there is an additional bulletin that contains other bug fixes with an even numbered bulletin such as Java 7-72 (PSU release).

     

    The full explanation for the changes can be found on Java's site, here:

    Java CPU and PSU Releases Explained

     

    Shavlik will be offering both the CPU and PSU releases. The CPU releases will be offered with a Security patch type whereas the PSU releases will be offered with a non-security patch type.

     

    If you were to run a Security Patch scan in Protect you will only be offered the CPU release. (main security bulletin) However, if you run a WUscan (both security & non-security) you will be offered both the CPU & PSU release as missing patches. Per Java - only one version is required to be installed. If you do not use a patch group to filter out the PSU release, this version will end up being installed because it has a higher version number than the CPU release. Keep this in mind before you set up scan and deployment when using both security and non-security patch types.

     

    Additional Information

     

    Additionally, we have noticed that most often when the latest Java updates are installed they provide a return code that a reboot is required. Keep in mind that a reboot will often be required.

     

    We suggest to refer to this document to help alleviate some pain points with updating Java:

    Best Practices For Deploying Java In Your Environment

     

    Affected Product(s)


    Shavlik Protect 9.x