Updating Java has changed. In January 2019, the last public updates (for commercial users) of both Oracle JDK 8 and the Oracle OpenJDK JDK 11 were released. Non-commercial users, for example, those people running Java on their PCs at home to play Minecraft, will continue to get Oracle JDK 8 updates through the Java Control Panel functionality until the end of this year.
Until now, almost all Java users have been used to regular public updates being made available for the JDK, by Oracle, free of charge. These have always been for the current release and often for the previous release as well. This was thanks to a generous overlap to ease migration to the latest version.
However, Oracle only upstreams the source code for each update’s security patches and bug fixes into the current OpenJDK project repository. How these changes get into older versions requires other members of the OpenJDK community to do the work of backporting.
To make things more complicated, we have to deal with two three-letter acronyms for the updates: CPU and PSU. Both of these are terms used specifically by Oracle and are used across their whole product range, not just for Java.
Let’s look at what these terms are and what they mean to users of Java who want to stay up to date with their Java deployments.
A CPU is a Critical Patch Update, and the key term here is critical. Quoting from Oracle’s explanatory web page,
“Java SE Critical Patch Updates (CPU) contain fixes to security vulnerabilities and critical bug fixes.”
In other words, this is only the changes that Oracle considers to be most important to keep your Java runtime both secure and stable.
A PSU is a Patch Set Update and is a superset of the CPU. Again, quoting from the Oracle page,
“Java SE Patch Set Updates (PSU) contain all of the fixes in the corresponding CPU, as well as additional non-critical fixes.”
The CPU has an odd number, and the PSU is even. This explains why there was JDK 8u201 (CPU) and JDK 8u202 (PSU).
We can use a Venn diagram to make that clearer.
What does this mean for deploying updates for your Java applications?
If you want to ensure that your systems are as secure as possible, it is crucial to deploy the CPU as quickly as possible (assuming it contains fixes for security vulnerabilities with high CVSS scores). Since this includes a smaller number of changes, it should be safe to deploy the CPU with minimal testing (essentially ensuring that this does not prevent an application from starting up).
Having ensured the security of your applications is up to date, the PSU can then be used for more rigorous, full regression testing to ensure stability before deploying into a production environment.
The flow of updates and deployments can be summarised:
- Scheduled CPU and PSU builds released (PSU may be slightly later) by Oracle to their paying customers. The corresponding source code is upstreamed to the OpenJDK project as a combined PSU.
- Java users deploy the CPU build in production with minimal testing, but only if the severity of security fixes warrants this. The primary goal is to stay secure.
- After CPU deployment, Java users deploy the PSU build in production after extensive testing (ideally full regression). The primary goal is to deploy upgraded functionality and new features.
- Repeat this process for each subsequent update. This enables Java users to remain secure with minimal risk to operations.
Azul has decided that, for our Zulu Enterprise customers, we will provide both updates. To simplify things, we’ll call them the security-only update and security and other enhancements update. All our updates come with a defined Service Level Agreement (SLA) as to how quickly we guarantee to get them to our customers after Oracle release their update.
Last week brought us the latest Java SE update, are you ready to keep your Java applications secure and stable?
More details of Zulu Enterprise can be found here.