Oracle says that its Java critical patch updates (CPU) are cumulative in nature, therefore in theory if a server had not applied its Java CPUs for (for example) a year, it would only need to apply the latest CPU rather than all the previous ones in order. However, in my organisation, the latest patches have been applied yet Qualys still shows all the *previous* vulnerabilities still exist and have not been remediated.
So I am trying to work out whether applying e.g. the July 2014 Oracle Java SE Critical Patch Update does actually roll up and fix all of the previous vulnerabilities as claimed. If it does, this would suggest that Qualys is showing false positives. Has anyone got any experience on this or can anyone advise on detection signature etc? Thanks.