CPU, PSU and SLA. Making Sense of TLAs for Java Updates
Jan 22, 2020 | 6 MIN READ
Jan 22, 2020 | 6 MIN READ
Updating Java has changed. In January 2019, the last public updates (for commercial users) of both Oracle JDK 8 and the Oracle OpenJDK JDK 11 were released. Non-commercial users, for example, those people running Java on their PCs at home to play Minecraft, will continue to get Oracle JDK 8 updates through the Java Control Panel functionality until the end of this year.
Until now, almost all Java users have been used to regular public updates being made available for the JDK, by Oracle, free of charge. These have always been for the current release and often for the previous release as well. This was thanks to a generous overlap to ease migration to the latest version.
However, Oracle only upstreams the source code for each update’s security patches and bug fixes into the current OpenJDK project repository. How these changes get into older versions requires other members of the OpenJDK community to do the work of backporting.
To make things more complicated, we have to deal with two three-letter acronyms for the updates: CPU and PSU. Both of these are terms used specifically by Oracle and are used across their whole product range, not just for Java.
Let’s look at what these terms are and what they mean to users of Java who want to stay up to date with their Java deployments.
A CPU is a Critical Patch Update, and the key term here is critical. Quoting from Oracle’s explanatory web page,
“Java SE Critical Patch Updates (CPU) contain fixes to security vulnerabilities and critical bug fixes.”
In other words, this is only the changes that Oracle considers to be most important to keep your Java runtime both secure and stable.
A PSU is a Patch Set Update and is a superset of the CPU. Again, quoting from the Oracle page,
“Java SE Patch Set Updates (PSU) contain all of the fixes in the corresponding CPU, as well as additional non-critical fixes.”
As I wrote back in 2017, there have been almost as many Java version numbering schemes as there have been versions of Java.
In Java 7 and 8, the convention has been that the update number increments by 10 for each quarterly release, with the last digit of the update number carrying some meaning. If the last digit is a 1, it is a CPU, and if the last digit is a 2, it is a PSU. Other last digit values can be used for out-of-bounds updates E.g. 8u201 was a CPU, and 8u202 was a PSU. But later in OpenJDK, 8u261 was a CPU, 8u262 was a PSU, and 8u265 was the urgent OpenJDK fix for that PSU.
From Java 10 this nomenclature has changed according to JEP 322.
We can use a Venn diagram to make that clearer.
What does this mean for deploying updates for your Java applications?
If you want to ensure that your systems are as secure as possible, it is crucial to deploy the CPU as quickly as possible (assuming it contains fixes for security vulnerabilities with high CVSS scores). Since this includes a smaller number of changes, it should be safe to deploy the CPU with minimal testing (essentially ensuring that this does not prevent an application from starting up).
Having ensured the security of your applications is up to date, the PSU can then be used for more rigorous, full regression testing to ensure stability before deploying into a production environment.
The flow of updates and deployments can be summarised:
Azul has decided that, for our Zulu Enterprise customers, we will provide both updates. To simplify things, we’ll call them the security-only update and security and other enhancements update. All our updates come with a defined Service Level Agreement (SLA) as to how quickly we guarantee to get them to our customers after Oracle release their update.
Last week brought us the latest Java SE update, are you ready to keep your Java applications secure and stable?
More details of Zulu Enterprise can be found here.