SUMMARY: kernel patch question (long)

From: Lisa Weihl <>
Date: Fri Feb 01 2002 - 10:56:25 EST
Finally summarizing a question I asked some time back.  Original question 
below.  My summary is kind of long but I wanted to include the replies so 
that maybe I can help someone else as confused as I in the future.

I wanted to try and clarify, when installing recommended and security 
patches, how important it was to install patches that were recommended (not 
required) in the README part of a patch that showed up in the original 
recommended patch list.  A lot of times these are just updates to a patch 
already installed.

I must say I didn't get a clearcut answer but after reading all the replies 
I'm inclined to believe that I should just scrap running the patchdiag tool 
and just blindly run the install_cluster script that comes with the 
recommended patch cluster.  If anyone thinks that's a really bad idea 
please let me know.  I put some of my own notes after the replies I 
received below.

 From Mark Montague:

In my opinion, the best thing to do is to download the entire
Recommended and Security Patch Cluster (all patches in a single file)
and install that. The patch cluster will then take care of
installing all of the necessary patches -- the "to get the complete
fix" patches are always included in the patch cluster, in my experience.
There will be some patches in the patch cluster that aren't applicable
to you because they are for different machine architectures or because
they are for packages which you don't have installed. This is okay;
the patch cluster install procedure automatically figures out which
patches should NOT be installed.

My note: So Mark is indicating that I download the cluster and just run the 
patch-install script and not worry about using the patchdiag tool to 
identify what patches are already installed and not installed on my 
system.  I use that technique the first time I install an OS but wasn't 
sure how wise it was to just to the cluster install after that point.

 From Naeem Hussain:

The patch diag tool recommends the sequence in which the patches need to be
installed. Some patches might need reboot of the system. However, you dont
have to do that after installing every patch that requires reboot. You can
install all the patches and do the reboot once.
Use the patchadd command with the B option for backing up current. THis way
if the patch does not work, you can always do a patchrm -B /dir/for/backout
If a patch add fails then it will list out the patches that are missing, you
then have to download these from and add them before
THe kernel updates are Critical and mandatory patches in most cases. You
should do this ALWAYS. these are usually there every 2 months or so..
ALL the best!

My note:  If the kernel updates are critical then why doesn't the patch 
report (from patchdiag) list them in the recommended section?  I'm speaking 
of the patch listed as SunOS 5.x: Kernel update patch.  It's always listed 
under Installed patches and then I can see whether it's current or not.  So 
if kernel updates are truly something that should ALWAYS be installed 
should I always just look here and update if it's not at the latest 
revision?  On this report I tend to just look at the Uninstalled 
Recommended and Uninstalled Security patches.

Rick Francis also agreed on keeping the kernel patch current and just 
installing via the install_cluster script.

Roman Pestka:

If you are running Solaris 8 or 7 I suggest you apply the MU cluster as
these are a set of patches which have been tested together, and only then
put the rec and sec patches on top. That way the amount or work you need to
do is minimised.

My note:  Just now putting up a few boxes with Solaris 8 so I'm not real 
familiar with the differences between using the MU and the old patch 
installation method.

 From Sergio Gelato:

Sun's "R" and "S" flags apply to patch numbers, but not to
specific revisions. Once Security, always Security (mostly reasonable,
but you still have to read the README to find out which *revision* of
the patch fixes the security holes), and once Recommended, always
Recommended (despite the fact that all too often the latest revision of
a patch contains regressions).

My note:  I believe Sergio is indicating that if there is an update to an 
installed patch and that patch was originally a recommended patch then I 
should apply the update:-)  Again this would be a good indication that just 
blindly running the install_cluster script would do the job.

Original question:

I've done a web search and looked in the FAQ but can't really find an
answer to my question. It's probably really more opinion than a clear cut
answer but I'm curious what those of you with more experience think.
I know that basic patching recommendations say that you should install at
least the recommended and security patches. I happen to use the patchdiag
tool from Sun so I get a list of the recommended and security patches. I
print the readme files from each one that I need. Then I go through all of
those to identify any required patches or special instructions. I make a
list of all the patches I then need. Here's what puzzles me a bit. When
you go through those README files many patches have no extra patch
recommendations(not required but recommended) but many do, sometimes with
lots of other patches listed and when you go to their README file often
other patches are recommended. The recommendations are usually listed
stating something like "To get the complete fix for item X you should also
My question is this. Should I go ahead and install those additional
recommended patches? What about applying (usually updating) the kernel
update patch? Very seldom do I see the kernel update patch end up on the
main patchdiag report list for recommended patches but it will often show
up as recommended in the Special Install Instructions area of other patches
that were on the patchdiag recommended list.
I'm sure this is a gray area but I'd just like to hear some feedback from
other admins. I only operate department level servers so nothing extremely
critical. Still if they do get screwed up from a patch it is a pain to go
back and fix them up.
TIA for any advice.
Lisa Weihl, System Administrator	E-mail:
Department of Computer Science	Office:	Hayes 225
Bowling Green State University		Phone:	(419) 372-0116
Bowling Green, Ohio 43403-0214	Fax:	(419) 372-8061
sunmanagers mailing list
Received on Fri Feb 1 13:04:24 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:33 EST