A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance. Though meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality, for instance, by removing components for which the update provider is no longer licensed or disabling a device.
Patch management is the process of using a strategy and plan of what patches should be applied to which systems at a specified time.
Patches for proprietary software are typically distributed as executable files instead of source code. This type of patch modifies the program executable—the program the user actually runs—either by modifying the binary file to include the fixes or by completely replacing it.
Patches can also circulate in the form of source code modifications. In this case, the patches usually consist of textual differences between two source code files, called "diffs". These types of patches commonly come out of open source projects. In these cases, developers expect users to compile the new or changed files themselves.
Because the word "patch" carries the connotation of a small fix, large fixes may use different nomenclature. Bulky patches or patches that significantly change a program may circulate as "service packs" or as "software updates". Microsoft Windows NT and its successors (including Windows 2000, Windows XP, and later versions) use the "service pack" terminology.
Historically, software suppliers distributed patches on paper tape or on punched cards, expecting the recipient to cut out the indicated part of the original tape (or deck), and patch in (hence the name) the replacement segment. Later patch distributions used magnetic tape. Then, after the invention of removable disk drives, patches came from the software developer via a disk or, later, CD-ROM via mail. With the widely available Internet access, downloading patches from the developer's web site or through automated software updates became often available to the end-users.
Computer programs can often coordinate patches to update a target program. Automation simplifies the end-user’s task – they need only to execute an update program, whereupon that program makes sure that updating the target takes place completely and correctly. Service packs for Microsoft Windows NT and its successors and for many commercial software products adopt such automated strategies.
Some programs can update themselves via the Internet with very little or no intervention on the part of users. The maintenance of server software and of operating systems often takes place in this manner. In situations where system administrators control a number of computers, this sort of automation helps to maintain consistency. The application of security patches commonly occurs in this manner.
The size of patches may vary from a few kilobytes to hundreds of megabytes — mostly more significant changes imply a larger size, though this also depends on whether the patch includes entire files or only the changed portion(s) of files. In particular, patches can become quite large when the changes add or replace non-program data, such as graphics and sounds files. Such situations commonly occur in the patching of computer games. Compared with the initial installation of software, patches usually do not take long to apply.
In the case of operating systems and computer server software, patches have the particularly important role of fixing security holes. Patches may require prior application of other patches, or may require prior or concurrent updates of several independent software components. To facilitate updates, operating systems often provide automatic or semi-automatic update facilities. Completely automatic updates have not succeeded in gaining widespread popularity in corporate computing environments, partly because of the aforementioned glitches, but also because administrators fear that software companies may gain unlimited control over their computers. Package management systems can offer various degrees of patch automation.
Usage of completely automatic updates is far more widespread in the consumer market, due largely to the fact that Microsoft Windows added support for them, and Service Pack 2 of Windows XP enabled them by default. Cautious users, particularly system administrators, tend to put off applying patches until they can verify the stability of the fixes. Microsoft (W)SUS support this. In the cases of large patches or of significant changes, distributors often limit availability of patches to qualified developers as a beta test.
Applying patches to firmware poses special challenges: re-embedding typically small code sets on hardware devices often involves the provision of totally new program code, rather than simply of differences from the previous version. Often the patch consists of bare binary data and a special program that replaces the previous version with the new version is provided. A motherboard BIOS update is an example of a common firmware patch. Any unexpected error or interruption during the update, such as a power outage, may render the motherboard unusable. It is possible for motherboard manufacturers to put safeguards in place to prevent serious damage. An example safeguard is to keep a backup of the firmware to use in case the primary copy is determined to be corrupt (usually through the use of a checksum, such as a CRC).
Video games receive patches to fix compatibility problems after their initial release just like any other software, but they can also be applied to change game rules or algorithms. These patches may be prompted by the discovery of exploits in the multiplayer game experience that can be used to gain unfair advantages over other players. Extra features and game play tweaks can often be added. These kinds of patches are common in first-person shooters with multiplayer capability, and in MMORPGs. MMORPGs, which are typically very complex with large amounts of content, almost always rely heavily on patches following the initial release, where patches sometimes add new content and abilities available to players. Because the balance and fairness for all players of an MMORPG can be severely corrupted within a short amount of time by an exploit, servers of an MMORPG are sometimes taken down with short notice in order to apply a critical patch with a fix.
In software development
Patches sometimes become mandatory to fix problems with libraries or with portions of source code for programs in frequent use or in maintenance. This commonly occurs on very large-scale software projects, but rarely in small-scale development.
In open source projects, the authors commonly receive patches or many people publish patches that fix particular problems or add certain functionality, like support for local languages outside the project's locale. In an example from the early development of the Linux operating system (noted for publishing its complete source code), Linus Torvalds, the original author, received hundreds of thousands of patches from many programmers to apply against his original version.
The Apache HTTP Server originally evolved as a number of patches that Brian Behlendorf collated to improve NCSA HTTPd, hence a name that implies that it is a collection of patches ("a patchy server"). The FAQ on the project's official site states that the name 'Apache' was chosen from respect for the Native American Indian tribe of Apache. However, the 'a patchy server' explanation was initially given on the project's website.
A security patch is a change applied to an asset to correct the weakness described by a vulnerability. This corrective action will prevent successful exploitation and remove or mitigate a threat’s capability to exploit a specific vulnerability in an asset.
Security patches are the primary method of fixing security vulnerabilities in software. Currently Microsoft releases its security patches once a month, and other operating systems and software projects have security teams dedicated to releasing the most reliable software patches as soon after a vulnerability announcement as possible. Security patches are closely tied to responsible disclosure.
An unofficial patch is a non-commercial patch for a commercial software created by a third party instead of the original developer. Similar to an ordinary patch, it alleviates bugs or shortcomings. Examples are security fixes by security specialists when an official patch by the software producers itself takes too long. Other examples are unofficial patches created by the game community of a video game which became unsupported abandonware.
Hot patching, also known as live patching or dynamic software updating, is the application of patches without shutting down and restarting the system or the program concerned. This addresses problems related to unavailability of service provided by the system or the program. A patch that can be applied in this way is called a hot patch.
- "Microsoft issues biggest software patch on record". Reuters. 2009-10-14. Retrieved 14 October 2009.
- Wayback Machine link to the Apache website, 1997
- Barwise, Mike (2007-10-16). "Unofficial patch for Windows URI problem". The H Security. Retrieved 2012-01-29.
- "Another unofficial IE patch offered to counter critical flaw". Computer Weekly. 2006-03-30. Retrieved 2013-07-09.
Another unofficial patch has been released to counter a critical flaw in Microsoft’s Internet Explorer browser.
- Wen, Howard (2004-06-10). "Keeping the Myths Alive". linuxdevcenter.com. Retrieved 2012-12-22.
[...]fans of the Myth trilogy have taken this idea a step further: they have official access to the source code for the Myth games. Organized under the name MythDevelopers, this all-volunteer group of programmers, artists, and other talented people devote their time to improving and supporting further development of the Myth game series.
- Bell, John (2009-10-01). "Opening the Source of Art". Technology Innovation Management Review. Retrieved 2012-12-30.
[...]that no further patches to the title would be forthcoming. The community was predictably upset. Instead of giving up on the game, users decided that if Activision wasn't going to fix the bugs, they would. They wanted to save the game by getting Activision to open the source so it could be kept alive beyond the point where Activision lost interest. With some help from members of the development team that were active on fan forums, they were eventually able to convince Activision to release Call to Power II's source code in October of 2003.
- "Oracle Magazine". Oracle.com. Retrieved 2013-01-04.