I have several systems that were running 11.0-p1 (RELEASE) and needed to update them to the latest security patches. Freebsd-update brought down the updates and when they were installed it said nothing about rebooting so I didn't. freebsd-version -ku 11.0-RELEASE-p2 11.0-RELEASE-p3 uname -a FreeBSD sermons 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu Sep 29 01:43:23 UTC 2016 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 Once I rebooted the system, uname showed -p2: FreeBSD master 11.0-RELEASE-p2 FreeBSD 11.0-RELEASE-p2 #0: Mon Oct 24 06:55:27 UTC 2016 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Apparently a reboot was required after the freebsd-update install and it should have told me that was the case.
(In reply to bc979 from comment #0) > … were running 11.0-p1 (RELEASE) … > freebsd-version -ku > 11.0-RELEASE-p2 > 11.0-RELEASE-p3 Non-official <https://bokut.in/freebsd-patch-level-table/#releng/11.0> shows: * reboot required for one of the three patches to reach p2 * no such _requirement_ for the one patch between p2 and p3. For the latter, more specifically: > … The sshd(8) service has to be restarted after the update. > A reboot is recommended but not required. … – <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:33.openssh.asc>
The reboot recommendation/requirement issue continues on to the latest versions. The current approach appears to be that a reboot is recommended somewhere in the documentations and then leave it up to the administrator to determine if there is anything running that needs to be restarted. It would seem to me that it would be better to require the reboot and then show the kinds of processes that would not get updated if a reboot was not performed. The best approach would be for the system to examine itself and determine which running processes require a reboot and make the recommendation based on that. I suspect that would be much more difficult to implement though.