This post is in part tong-in-cheek, and in part serious. Last week someone told me that even the NSA (yes the National Security Agency of the USA) now advises to upgrade to Oracle Solaris 11.4 and my initial thought was "sure they do", but I was swiftly pointed to this very recent Cybersecurity Advisory they had put out (which also acts as guidance for the various government agencies). And sure enough, it states:
"Upgrade to Solaris® 11.4 from earlier versions of Solaris® and apply the latest Support Repository Update (SRU)."
It also says that the best way to keep your systems and applications safe is to keep up to date with the latest SRU, or at least "every third SRU" which we call a Critical Patch Update a.k.a. a CPU. They state that this "contains critical fixes for multiple vulnerabilities, including those documented as Common Vulnerabilities and Exposure (CVE®2) entries". Of course we don't hold any critical fixes back for each CPU, and release them in the next SRU available. But if you can't update the system more often than every quarter the CPUs are the best SRU to go for.
By the way, when we say the CPU comes out "every quarter", we mean it's the SRU that comes out in January, April, July, and October. So if you have restricted update possibilities in you schedule it's best to focus on these dates, even if you only update once every 6 months or 12 months. The simplest way to do this is continuously update this package every month:
# pkg update solaris-11-cpu@latest
It is also good to note that applying an older SRU or CPU doesn't help, as it doesn't "mature" over time it is a point in time version of what we think is the best most secure most stable version of Oracle Solaris. So when applying an SRU or CPU please always consider the newest one. You could choose to apply the latest CPU even if there are newer SRUs out, but holding off doesn't make a version better.
This of course holds for Oracle Solaris versions and updates too. So if you're still running Oracle Solaris 10 or maybe Oracle Solaris 11.3, it it isn't absolutely necessary or there's some technical reason holding you back we strongly advise to move/update to Oracle Solaris 11.4. And if you're running and earlier version Oracle Solaris 11, this is as easy as applying an SRU, and it gives you an easy way to roll back if necessary.
Oracle Solaris 11.4 and it's SRUs/CPUs are simply the best, most secure version of our Operating System. And now if you get pushback "why we should move to 11.4?" you can say: "Because the NSA says so."