Hotpatching is a way to install OS security updates on some supported Windows Server editions running in virtual machines (VMs) that doesn’t require a reboot after installation. It works by patching the in-memory code of running processes without the need to restart the process.
Actually hotpatch is supported only on VMs and Azure Stack HCI created from images with the exact combination of publisher, offer and sku from the below OS images list:
| Publisher | OS Offer | Sku |
|---|---|---|
| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-Azure-Edition-Core |
| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-Azure-Edition-Core-smalldisk |
| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-Azure-Edition-Hotpatch |
| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-Azure-Edition-Hotpatch-smalldisk |
This seems a big limit, but the new Windows Server 2025 should also be added in this table.
Hotpatch works by first establishing a baseline with the current Cumulative Update for Windows Server. Periodically (starting every three months), the baseline is refreshed with the latest Cumulative Update, then hotpatches are released for two months following. For example, if January is a Cumulative Update, February and March would be a hotpatch release.
For the hotpatch release schedule, see Release notes for Hotpatch in Azure Automanage for Windows Server 2022.
Hotpatches contains updates that don’t require a reboot. Because Hotpatch patches the in-memory code of running processes without the need to restart the process, your applications are unaffected by the patching process. This action is separate from any potential performance and functionality implications of the patch itself.
The following image is an example of an annual three-month schedule (including example unplanned baselines due to zero-day fixes).
There are two types of baselines: Planned baselines and Unplanned baselines.
- Planned baselines are released on a regular cadence, with hotpatch releases in between. Planned baselines include all the updates in a comparable Latest Cumulative Update for that month, and require a reboot.
- The sample schedule illustrates four planned baseline releases in a calendar year (five total in the diagram), and eight hotpatch releases.
- Unplanned baselines are released when an important update (such as a zero-day fix) is released, and that particular update can’t be released as a hotpatch. When unplanned baselines are released, a hotpatch release is replaced with an unplanned baseline in that month. Unplanned baselines also include all the updates in a comparable Latest Cumulative Update for that month, and also require a reboot.
- The sample schedule illustrates two unplanned baselines that would replace the hotpatch releases for those months (the actual number of unplanned baselines in a year isn’t known in advance).
