There are many strategies for patching your servers. I’ve worked in environments where we followed the “if it ain’t broke, don’t patch” philosophy, and 10 years ago this seemed reasonable in Solaris. Other environments try to apply every patch available from their vendors. I think the best approach is of course somewhere in between.
Sun makes available several patch bundles that many customers use for patching. The most popular bundle is the Recommended patch cluster for your Solaris version. This patch cluster provides the latest revisions of any patch that addresses a Sun Alert, which is any fix for security, data corruption or system availability. This is well-tested combination of patches, known to be stable and compatible.
A second patch cluster is also available from Sun – the Sun Alert patch cluster. This cluster is similar to the recommended cluster, but with one difference. It contains the minimum revision of any patch that addresses a Sun Alert. Applying this cluster will fix all Sun Alert issues, while introducing the least amount of change to your systems.
Once you have more that 50 servers, it can take months to completely patch them, depending on maintenance windows and uptime requirements. Sometimes it’s difficult to know if a particular server is patched yet or not, or when the last patching took place. One trick I learned a while back was to create a nearly-empty Solaris package, with only a text file, containing the patch level installed. This package is installed or updated with each patch cycle so you know exactly which set of patches is installed at any time.
Sun has come up with several patch management tools over the years, some better than others (PatchDiag, PatchCheck, PatchPro, smpatch). The most recent uses the “Patch Update Manager” in Solaris 10 or the xVM Ops Center product. If you’re looking for something low cost (free), then it might be worth looking at Patch Check Advanced. This tool analyzes your system, automatically downloads and installs patches fairly easily. It’s a great tool.