Updating Java has changed. In January 2019, the last public updates (for commercial users) of both Oracle JDK 8 and the Oracle OpenJDK JDK 11 were released. Non-commercial users, for example, those people running Java on their PCs at home to play Minecraft, continue to get Oracle JDK 8 updates through the Java Control Panel functionality until the end of 2020.
Almost all Java users have been used to regular public updates being made available for the JDK, by Oracle, free of charge. These have always been for the current release and often for the previous release as well. This was thanks to an overlap to ease migration to the latest version.
There are now a number of providers of OpenJDK binaries. However, Oracle only upstreams the source code for each update’s security patches and bug fixes into the current OpenJDK project repository. How these changes get into older versions requires other members of the OpenJDK community to do the work of backporting. To make things more complicated, we have to deal with two three-letter acronyms for the updates: CPU and PSU. Both of these are terms used specifically by Oracle and are used across their whole product range, not just for Java.
A CPU is a Critical Patch Update, and the key term here is “critical”. Java SE Critical Patch Updates (CPU) contain fixes to security vulnerabilities and critical bug fixes.
On foojay, fixes to security vulnerabilities and critical bug fixes are visualized and analyzed:
A PSU is a Patch Set Update and is a superset of the CPU. Java SE Patch Set Updates (PSU) contain all of the fixes in the corresponding CPU, as well as additional non-critical fixes.
On foojay, the quarterly non-critical fixes are visualized and analyzed:
The CPU has an odd number, and the PSU is even. This explains why there was JDK 8u201 (CPU) and JDK 8u202 (PSU).
What is the release cadence of CPUs and PSUs?
CPU releases are scheduled for release on the Tuesday closest to the 17th day of January, April, July, and October under the normal Oracle Critical Patch Update schedule.
What does this mean for deploying updates for your Java applications?
If you want to ensure that your systems are as secure as possible, it is crucial to deploy the CPU as quickly as possible (assuming it contains fixes for security vulnerabilities with high CVSS scores). Since this includes a smaller number of changes, it should be safe to deploy the CPU with minimal testing (essentially ensuring that this does not prevent an application from starting up).
Having ensured the security of your applications is up to date, the PSU can then be used for more rigorous, full regression testing to ensure stability before deploying into a production environment.