How to Stop MySQL from Auto-Updating on Ubuntu Server 22.04 (and Verify It Won’t Happen)

If you run MySQL on Ubuntu Server 22.04, you already know the problem:
Ubuntu is very helpful about updates — sometimes too helpful.

An unattended MySQL upgrade can:

• Restart the service

• Break replication

• Introduce subtle behavior changes

• Ruin a carefully controlled production setup

This post shows how to stop MySQL from auto-updating and how to prove in advance that no update will sneak in.

No hand-waving. Real commands. Verifiable results.

---

The Real Culprit: Unattended Upgrades

Ubuntu uses a background service called unattended-upgrades to silently install updates. That includes MySQL unless you explicitly stop it.

You have three levels of control. Most servers should use Level 1 or 2.

---

Option 1 — Freeze MySQL with apt-mark hold (Recommended)

This is the simplest and safest approach.

sudo apt-mark hold mysql-server mysql-client mysql-common

What this does:

• APT will refuse to upgrade these packages

• Even if someone runs apt upgrade

• Even if unattended-upgrades runs overnight

Verify the hold:

apt-mark showhold

Expected output:

mysql-server
mysql-client
mysql-common

To undo later:

sudo apt-mark unhold mysql-server mysql-client mysql-common

---

Option 2 — Let Ubuntu Update Everything Except MySQL

If you want security updates for the OS but not for MySQL, blacklist it from unattended upgrades.

Edit the config:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Find:

Unattended-Upgrade::Package-Blacklist {
};

Add:

Unattended-Upgrade::Package-Blacklist {
        "mysql-server";
        "mysql-client";
        "mysql-common";
};

Restart the service:

sudo systemctl restart unattended-upgrades

This keeps the system secure while freezing MySQL.

---

Option 3 — Disable Automatic Updates Entirely (Use With Caution)

This is a blunt instrument.

sudo systemctl disable --now unattended-upgrades

Or:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Set:

APT::Periodic::Unattended-Upgrade "0";

Only do this if you commit to manual patching.

---

How to Verify Beforehand That MySQL Will NOT Update

This is the part most guides skip. Don’t trust configuration — verify behavior.

---

1. Check What APT Thinks Is Upgradable

apt list --upgradable | grep -i mysql

Correct result: no output
If you see MySQL packages here, they are not frozen.

---

2. Simulate a Full Upgrade (Dry Run)

sudo apt -s upgrade | grep -i mysql

The -s flag means simulate only.
Nothing will be installed.

Correct result: no MySQL packages listed.

---

3. Simulate Unattended Upgrades Directly

This tests the exact logic Ubuntu uses overnight.

sudo unattended-upgrades --dry-run --debug | grep -i mysql

If MySQL is held or blacklisted, it will be skipped.

---

4. Double-Check Package Holds

apt-mark showhold

If MySQL isn’t listed, it’s not protected.

---

5. (Optional) Verify Pinning Rules

If you’re using apt pinning:

apt-cache policy mysql-server

You should see a pin priority preventing upgrades.

---

The “I’m Safe” Checklist

Run these three commands:

apt list --upgradable | grep -i mysql
apt -s upgrade | grep -i mysql
unattended-upgrades --dry-run --debug | grep -i mysql

If all three return empty, MySQL will not update. Period.

---

Final Advice

• Production server? Use apt-mark hold

• Security-conscious server? Use unattended-upgrade blacklist

• Never rely on assumptions — always simulate

Ubuntu does exactly what you tell it to do.
The problem is most admins never tell it not to touch MySQL.