I don’t normally make it a habit to defend Samsung and Android but I thought I might as well put something out there in regards to the release of Android 9 on Samsung phones and the 6 month delay between it being ‘officially’ released by Google and it being made available to end users of Samsung phones. The first thing that is important to understand is that Android is like a ‘distribution’ like how one can see a GNU/Linux distribution being based on multiple projects that are all bought together and then tweaked/customised by the distributor itself to give it a unique look, feel and add features that end users might find useful.
In the case of Samsung though they’ve not only got to bring Android over and test it on their Exynos SoC but also fix up Android bugs that are found as their customisation is integrated back into it resulting an otherwise simple process into something more complex. Yes, yes, I know, in a perfect world we wouldn’t have heavily customised Samsung phones but it is the way in which vendors make their devices stand out from the rest – to give the Android on Samsung a uniquely Samsung experience when compared to what other vendors do.
Here is a good example, GNOME desktop has a particular release schedule but that isn’t necessarily going to line up with the release schedule for the OpenSUSE distribution so sometimes what you have a gap between when GNOME is released and when that updated GNOME rolls out to end users. Then add on top of that the OpenSUSE distribution folks building and testing for bugs – and sometimes the bugs that are specific to that particular distribution meaning that patches have to then be created to address the issues and then pushed upstream to their respective project source tree.
Given the dynamics of what happens in the Linux world one can apply the same sort of logic to Android where the code is released from Google to the AOSP then Samsung gets that code, merge it with their driver stack etc then test it, test it and test it some more then release it once it is ready. In other words, view the ‘release’ of Android as a code drop and follow the schedule set by the OEM (in other words view what you have on your phone as “Samsung Android” which has its own release schedule like how OpenSUSE has its own release schedule) – in the case of Samsung they release upgrades 6-8 months after the Android code drop which places it inline with the summer/spring (northern hemisphere) which is just before the usual announcement of new Samsung phones.
Now, regarding security updates, not every update is going to be relevant to your particular OEM hence it might not be necessary to push out an update for a security issue because your phone isn’t impacted by it. For example, in the latest January security update there are 4 security related fixes for the ext4 filesystem but if your vendor doesn’t use it then does it need updating? There is an update for Dragon BSP support from nVidia so unless your device uses that piece of hardware then your hardware isn’t impacted. That doesn’t even go into the various Qualcomm components where 6 of them are specific to Qualcomm so if you have an Exynos SoC then you’re left unaffected by it.
Then there is the other factor, as mentioned further up, as problems arise the vendor will make patches so there is a good to fair chance that the problem is resolved not to mention that the vendor could also pull down the code up to the latest security patch plus also additional patches that have been made so a ‘January 2019’ update might include more than just that patch thus it isn’t entirely accurate to just look at what patch level it is as it is possible that it could also fix more than just what is listed in the security bulletin for that particular month.