The original ESXi system provided by VMware is made up of multiple software packages (currently 60 for ESXi 5.0 and 65 for ESXi 5.1) called VIBs (VMware Installation Bundles). There is e.g. one large VIB for the base system (esx-base), one for the VMware Tools (tools-light), and most of the remaining VIBs are hardware device drivers (e.g. net-e1000 or sata-ahci).
With an ESXi patch one or multiple of these VIBs are updated (or in very rare cases added). An example: The latest patch for ESXi 5.0 (ESXi-5.0.0-201209001 of Sep 2012) updates the VIBs esx-base, tools-light and misc-drivers.
ESXi patches are provided by VMware in the format of so-called Offline Bundles (in this case also called Patch Bundles) in ZIP format. Kyle Gleed has explained in this blog post how you can download them from the Patch download portal.
Now the most important point to understand is that these Patch Bundles do not only include the patched/updated VIBs, but all VIBs that make up an ESXi system, and in fact the latest version of them all.
So, strictly speaking the answer to the original question is No, because a single patch does only change one or multiple VIBs and thus just cannot be cumulative. However, patches are not provided separately, but only as parts of complete Patch Bundles, and the Patch Bundles are indeed cumulative! That means we need to install only the latest Patch Bundle to make ESXi fully patched.
To prove this claim I have complied a spreadsheet that shows all the Patch Bundles that have been released so far for ESXi 5.0 and 5.1, each with complete lists of the included VIB packages and their versions. VIBs that are updated in a Patch Bundle are marked in red color. I plan to keep this spread sheet updated when new patches are released.
Next question is: How do we install the latest Patch Bundle in the right way?
Before we can answer this question we need to understand the concept of Image Profiles. Each Patch Bundle includes exactly two or four Image Profiles, and these are just logical sets of VIB packages. As an example we look at the four Image Profiles that are included in the latest ESXi 5.0 patch mentioned above:
- ESXi-5.0.0-20120904001-standard contains all 60 (resp. 65) VIB packages. The three that are patched are included with their new versions, all others are included with the versions that were also included in the previous Patch Bundle (ESXi-5.0.0-201207001).
- ESXi-5.0.0-20120904001-no-tools is the same, but without the VMware Tools VIB (tools-light). This profile is typically used to build streamlined thin ESXi images, e.g. for AutoDeploy.
- ESXi-5.0.0-20120901001s-standard contains all 60 (resp. 65) VIB packages (like the first one), but only the patched VIBs that include security fixes (only esx-base in this case) are included with their new versions, and all others are included with the versions that were also included in the previous Patch Bundle.
- ESXi-5.0.0-20120901001s-no-tools is the same as the third one, but without the VMware Tools VIB (tools-light).
For most machines you will want to update the system with the regular standard Image Profile. The following esxcli commands list the Image Profiles that are available in a Patch Bundle and install/update the system with one of them (run them in a local or remote ESXi shell):
# List image Profiles that are provided by the Patch Bundle # (Replace /path/to with the datastore path of the Patch Bundle) # esxcli software sources profile list -d /path/to/ESXi500-201209001.zip # # The output will look like this: # Name Vendor Acceptance Level # -------------------------------- ------------ ---------------- # ESXi-5.0.0-20120904001-no-tools VMware, Inc. PartnerSupported # ESXi-5.0.0-20120904001-standard VMware, Inc. PartnerSupported # ESXi-5.0.0-20120901001s-standard VMware, Inc. PartnerSupported # ESXi-5.0.0-20120901001s-no-tools VMware, Inc. PartnerSupported # # Now update the system with the regular standard profile: # esxcli software profile update -d /path/to/ESXi500-201209001.zip -p ESXi-5.0.0-20120904001-standard #There are two different ways to apply the Image Profile: With esxcli software profile update (like in the above example) or with esxcli software profile install, and it is very important to understand the difference: The install command will remove all existing VIB packages from the installed system and replace them with all VIB packages that are part of the Image Profile. That means it would also remove any installed package that is not included in the Image Profile and downgrade any installed package that has a newer version than the one in the Image Profile! In most cases it is safer to use the update command instead: It will keep all installed packages that are not included in the Image Profile or have a higher version number than the one in the Image Profile.
If you have ever manually updated an ESXi device driver by installing one of the Offline Bundles that are available here for ESXi 5.0 and here for ESXi 5.1 then you should definitely use the update command to keep them. The same is true if you have installed your ESXi system with a customized ISO that was provided by a hardware vendor (like HP, Dell, etc.).
I hope that this post will answer the question about cumulative patches once and for all (although I will of course answer any related question in the comments). For those of you who want to learn even more about this topic here are some links:
- Learn how to build your own installation ISOs using the ESXi-Customizer-PS script ...
- ... and how to build your own Patch Bundles with the latest version of the same script
- Dig deeper into PowerCLI ImageBuilder with the ImageBuilder Deep Dive (part one, two and three)
- How to update ESXi from 5.0 to 5.1
- Overview Spreadsheet: ESXi 5.x patches with VIB lists