Should I always upgrade my ESX implementation as soon a a new service pack is released? Obviously, after the disaster that was Update 2, the answer is hell no!!
But here’s another reason to be careful about applying updates without considering your environment.
There is a firewall on the service console to protect it from the network. To ensure it is relativley secure, the firewall only has opened ports for required services. For example, when I enable software iSCSI, ESX SHOULD open up port 3260 outbound.
Interestingly enough, I can SSH to an ESX server from an external host, but, by default, can’t SSH from an ESX server once I am connected. This is because tcp/22 is NOT enabled outbound by default.
In certain environments there are other considerations to take into account as well. For example, is ESX’s firewall EAL 4+ European Accredited or TESG Accredited
The answer is kind of interesting. ESX 3.0.2 has been EAL4+ so this would include all components, including the firewall. ESX 3.5 U2 is being reviewed at this point and there is no fixed date as to when it will be certified.