Hotpatch and Baseline Updates

Hotpatching, a feature of the Windows Server 2019: Azure Edition preview, allows security updates to be applied to in-memory processes on Azure VMs without requiring a reboot. This illustration shows how hotpatch updates and planned baseline updates interact.

Baseline updates, shown as filled circles on the middle track, require reboots. Planned baseline updates are released on a scheduled interval (initially once every three months) to bring the OS in line with the latest cumulative update. They include feature and quality updates, as well as security updates. Subsequent hotpatch updates, shown as empty circles on the upper track, do not require a reboot, include only security updates, and build on the previous planned baseline update. After another planned baseline is released, the subsequent hotpatches will build on the new baseline.

An unplanned baseline update may be released when important updates, like a zero-day vulnerability, mean a package cannot be released as a hotpatch. Any unplanned baselines replace the normal hotpatch for a given month, include the contents of a latest cumulative update, and also require a reboot. Subsequent hotpatches will build on any unplanned baseline in the same fashion as a planned baseline. Two unplanned updates, shown as filled circles on the lower track, are displayed as an example.