Changes to IBM MQ's maintenance delivery model

Content

What is changing?

To continue to deliver proactive product security updates across supported IBM MQ releases, from 1Q 2023 there will be 2 types of IBM MQ maintenance delivery: fix packs, and cumulative security updates (CSUs).

Fix packs continue to be produced exclusively for Long Term Support (LTS) releases during their normal support lifecycle, in keeping with previous practices.

CSUs will be produced for LTS releases (including releases in extended support), and for the latest IBM MQ continuous delivery (CD) release, as required to deliver relevant security patches.

The schedule for CSU maintenance deliveries will be governed by the availability of security updates for each release. Currently IBM does not intend to alter the current cadence for fix pack deliveries, which is typically 2 or 3 fix packs a year for each LTS release.

IBM MQ continues to use a "V.R.M.F" version identifier format. On distributed platforms, LTS releases will continue to be designated by a zero (0) in the "M" digit of the V.R.M.F version identifier - for example 9.3.0.x . CD releases have a non-zero value in the "M" digit of the V.R.M.F version identifier - for example 9.3.1.x.

On z/OS there is an IBM MQ for z/OS LTS release and an IBM MQ for z/OS CD release for each major version - such as MQ 9.3.0 - which are functionally identical. You can distinguish between an LTS and CD release with the same VRM level by looking at the CSQY000I message in the queue manager job log.

For more information on the differences between CD and LTS releases, refer to the IBM MQ FAQ for Long Term Support and Continuous Delivery releases.

What is the difference between CSUs and fix packs?

Fix packs continue to contain maintenance bundles for LTS releases, and are the vehicle for shipping most IBM “APAR” code fixes for these releases during their support lifecycle.

CSU deliveries contain typically small numbers of security updates, although IBM may on occasion ship additional APARs in these deliveries if a technical need should arise, for example if intrinsically linked to a security update.

In both cases, the updates are applied by using the same platform-native install technologies that have been used previously to deliver fix pack maintenance on the LTS releases, and so existing processes or automation can be used to deploy both types of maintenance.

How can I tell if a maintenance delivery is a CSU or a fix pack?

For maintenance releases in or after 1Q 2023, both types of delivery are numbered using IBM MQ’s existing V.R.M.F version identifier semantics. The F-digit of the V.R.M.F version identifier is incremented for each new maintenance delivery.

F-digits divisible by 5 are exclusively used to denote a fix pack, whereas CSUs always use F-digits that are not multiples of 5.

For example, 9.3.0.5 would denote a fix pack on the 9.3 LTS release, whereas 9.3.0.6 and 9.3.0.7 would denote CSU deliveries.

Do CD releases receive fix packs?

No, CD releases will only receive CSU maintenance, and so will not use F-digits that are multiples of 5 in the F-digit of the V.R.M.F version identifier.

CSU maintenance is provided only on the latest CD release.

Which platforms does this process apply to?

This process applies to:

• IBM MQ on all supported Unix, Linux and Windows platforms
• IBM MQ on IBM i
• The IBM MQ Appliance
• IBM MQ on HPE NonStop

This process also applies to the JMS, Managed File Transfer (MFT) and WebUI features of IBM MQ for z/OS, which are updated in conjunction with maintenance deliveries on Unix, Linux and Windows platforms.

The IBM MQ container image available for use within the IBM Cloud Pak for Integration will be updated to reflect new CSU and fix pack maintenance when available.

Does CSU maintenance contain older fixes?

Yes, maintenance deliverables are always cumulative for the release, so applying the latest maintenance level also addresses issues fixed in earlier maintenance for that release, regardless of whether the latest maintenance is a fix pack or CSU.

Do CSUs and fix packs need to be applied sequentially?

No, maintenance deliverables are always cumulative for the release, so applying the latest maintenance level also addresses issues fixed in earlier maintenance for that release, regardless of whether the latest maintenance is a fix pack or CSU. There is no need to apply intermediate maintenance levels before applying the latest maintenance.

Can a fix pack be applied on top of CSU maintenance for the same release?

Yes, if it has a higher F-digit than the CSU maintenance.

Can CSU maintenance be applied on top of a fix pack for the same release?

Yes, if it has a higher F-digit than the fix pack.

Can the same maintenance be applied to multiple IBM MQ releases?

No, fix packs and CSUs can only be applied to installations with the same V.R.M version level as the maintenance. For example, fix pack 9.3.0.5 can only be applied to a 9.3.0 installation - for example a release at version 9.3.0.0 or 9.3.0.4. It cannot be applied to a 9.3.1[.0] installation as the M-digit is different.

How often will CSU maintenance be released?

CSU maintenance is delivered on applicable releases only when security updates are required, no more than once per month.

On an exceptional basis, critical fixes might be made available independently of CSU releases for expediency, but will also be included in the next available maintenance delivery.

If LTS fix pack F-digits are multiples of 5, does this mean there will be 4 CSUs between each LTS fix pack?

No, CSU releases will only be produced when security updates are required for a particular release. On this basis, it is not possible to predict their frequency, and so some F-digits will likely be skipped. In the event that more than 4 CSUs were required in between LTS fix packs, the next F-digit would be incremented to the next non-multiple of 5 for the CSU and the next fix pack would use the next available multiple of 5.

For example, if the current CSU was 9.2.0.24, and an additional CSU was required, the additional CSU would be assigned version 9.2.0.26, and the next fix pack for the 9.2 release would be 9.2.0.30. The fix list pages for each IBM MQ release will be maintained to confirm which version numbers have been used for each release.

Do I need to apply the same level to all of my queue managers and clients?

No, while IBM recommends applying the latest maintenance when available, there is no requirement to maintain all installations at the same level. IBM MQ’s established policy on version compatibility and coexistence remains unaffected.

How do I know where to apply security updates across my estate?

As part of this enhanced process, IBM will provide additional information through IBM MQ security bulletins and fix lists, to identify which installable components or deliverables are affected by security updates.

Can security fixes be built on an earlier release?

IBM strongly recommends applying the latest available maintenance deliverable as your preventive maintenance strategy. IBM cannot guarantee that all fixes can be made available against earlier maintenance levels. For more information, refer to the IBM Support guide.