Is it possible to not install new programs on a server and sidestep any Meltdown/Spectre vulnerabilities because it is only a newly identified issue.
I have an SLES server that runs a fixed database load. It's an Intel Xeon on AWS (hvm) VPC in a private subnet. As I look back, no new program binaries nor processes have been added to this server since it was launched over a year ago. But we have applied recommended OS/DBMS patches regularly (which obviously brings in new code)
From what I have read so far, database type work loads will take a huge performance hit from the fixes. It is already running at about 60-80% cpu during peak hours, and growing, so I do expect to upgrade to a bigger server in 2-3 months time.
Under this, does it make sense to skip the fix? If yes, how far this be stretched?
I am not very familiar with kernels and VMs.
Thanks a lot.