Finally summarizing a question I asked some time back. Original question below. My summary is kind of long but I wanted to include the replies so that maybe I can help someone else as confused as I in the future. I wanted to try and clarify, when installing recommended and security patches, how important it was to install patches that were recommended (not required) in the README part of a patch that showed up in the original recommended patch list. A lot of times these are just updates to a patch already installed. I must say I didn't get a clearcut answer but after reading all the replies I'm inclined to believe that I should just scrap running the patchdiag tool and just blindly run the install_cluster script that comes with the recommended patch cluster. If anyone thinks that's a really bad idea please let me know. I put some of my own notes after the replies I received below. From Mark Montague: In my opinion, the best thing to do is to download the entire Recommended and Security Patch Cluster (all patches in a single file) and install that. The patch cluster will then take care of installing all of the necessary patches -- the "to get the complete fix" patches are always included in the patch cluster, in my experience. There will be some patches in the patch cluster that aren't applicable to you because they are for different machine architectures or because they are for packages which you don't have installed. This is okay; the patch cluster install procedure automatically figures out which patches should NOT be installed. My note: So Mark is indicating that I download the cluster and just run the patch-install script and not worry about using the patchdiag tool to identify what patches are already installed and not installed on my system. I use that technique the first time I install an OS but wasn't sure how wise it was to just to the cluster install after that point. From Naeem Hussain: The patch diag tool recommends the sequence in which the patches need to be installed. Some patches might need reboot of the system. However, you dont have to do that after installing every patch that requires reboot. You can install all the patches and do the reboot once. Use the patchadd command with the B option for backing up current. THis way if the patch does not work, you can always do a patchrm -B /dir/for/backout patchname. If a patch add fails then it will list out the patches that are missing, you then have to download these from sunsolve.sun.com and add them before proceeding. THe kernel updates are Critical and mandatory patches in most cases. You should do this ALWAYS. these are usually there every 2 months or so.. ALL the best! My note: If the kernel updates are critical then why doesn't the patch report (from patchdiag) list them in the recommended section? I'm speaking of the patch listed as SunOS 5.x: Kernel update patch. It's always listed under Installed patches and then I can see whether it's current or not. So if kernel updates are truly something that should ALWAYS be installed should I always just look here and update if it's not at the latest revision? On this report I tend to just look at the Uninstalled Recommended and Uninstalled Security patches. Rick Francis also agreed on keeping the kernel patch current and just installing via the install_cluster script. Roman Pestka: If you are running Solaris 8 or 7 I suggest you apply the MU cluster as these are a set of patches which have been tested together, and only then put the rec and sec patches on top. That way the amount or work you need to do is minimised. My note: Just now putting up a few boxes with Solaris 8 so I'm not real familiar with the differences between using the MU and the old patch installation method. From Sergio Gelato: Sun's "R" and "S" flags apply to patch numbers, but not to specific revisions. Once Security, always Security (mostly reasonable, but you still have to read the README to find out which *revision* of the patch fixes the security holes), and once Recommended, always Recommended (despite the fact that all too often the latest revision of a patch contains regressions). My note: I believe Sergio is indicating that if there is an update to an installed patch and that patch was originally a recommended patch then I should apply the update:-) Again this would be a good indication that just blindly running the install_cluster script would do the job. ******************************************************************************** Original question: I've done a web search and looked in the FAQ but can't really find an answer to my question. It's probably really more opinion than a clear cut answer but I'm curious what those of you with more experience think. I know that basic patching recommendations say that you should install at least the recommended and security patches. I happen to use the patchdiag tool from Sun so I get a list of the recommended and security patches. I print the readme files from each one that I need. Then I go through all of those to identify any required patches or special instructions. I make a list of all the patches I then need. Here's what puzzles me a bit. When you go through those README files many patches have no extra patch recommendations(not required but recommended) but many do, sometimes with lots of other patches listed and when you go to their README file often other patches are recommended. The recommendations are usually listed stating something like "To get the complete fix for item X you should also install...." My question is this. Should I go ahead and install those additional recommended patches? What about applying (usually updating) the kernel update patch? Very seldom do I see the kernel update patch end up on the main patchdiag report list for recommended patches but it will often show up as recommended in the Special Install Instructions area of other patches that were on the patchdiag recommended list. I'm sure this is a gray area but I'd just like to hear some feedback from other admins. I only operate department level servers so nothing extremely critical. Still if they do get screwed up from a patch it is a pain to go back and fix them up. TIA for any advice. ********************************************************************************** Lisa Weihl, System Administrator E-mail: lweihl@cs.bgsu.edu Department of Computer Science Office: Hayes 225 Bowling Green State University Phone: (419) 372-0116 Bowling Green, Ohio 43403-0214 Fax: (419) 372-8061 _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Feb 1 13:04:24 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:33 EST