HomeEE · Operations › Patching & service packs

Patching & service packs

Purpose: Keep AEM 6.5 current on service packs and security fixes without breaking the platform each quarter.

Who this page is for

AudienceWhy it matters to you
Platform engineersExecutors
Tech leadsCadence owners

What arrives and when

ArtefactCadenceContains
Service Pack (6.5.x)~QuarterlyCumulative fixes + security + occasional feature/API deltas
Security bulletins/hotfixesAs neededTargeted fixes — some are drop-everything
Java/OS patchesYour platform cadenceThe JVM under AEM is part of the platform

Policy that works: stay within one SP of current (N or N−1). The gap compounds — three skipped SPs make the fourth a migration project, and security posture decays meanwhile (vulnerability governance).

SP installation is a release

Treat an SP exactly like a code release through the pipeline environments:

1. Read release notes for: API changes, overlay-affecting UI changes, index changes, config default changes
2. Dev: install, full regression of YOUR code (SPs update /libs — your overlays and superType chains are the risk surface)
3. Stage: install + soak a week: authors work, synthetics run, perf sanity
4. Prod: maintenance window ([windows](/ee-operations/maintenance-windows.html)), author then rolling publish,
   post-install verification incl. reindex/queue checks the notes call out

The overlay audit (the recurring SP gotcha)

Every SP, diff your overlays (/apps copies of /libs paths — repository structure) against the new /libs versions: an overlay pins OLD product UI/behaviour over patched code. Keep the overlay inventory small and documented; each one is a standing SP-upgrade tax.

Emergency security patches

Compressed timeline, same rails: dev smoke (hours not days) → stage synthetic pass → prod window. The severity of the CVE sets the clock; it never justifies skipping the stage pass — a broken patch install during an active threat is the worst of both worlds.

Quick navigation