Extended Support Vendors,
Compared
When software reaches end of life, the original vendor stops shipping security patches — but a market of extended-lifecycle-support vendors has grown up specifically to fill that gap, backporting CVE fixes for a fee so teams can keep running EOL software safely while they plan a migration on their own schedule. This page is a neutral reference to that market, organized by coverage area, so you know what exists before you start evaluating anyone.
Market Overview by Coverage Area
| Coverage Area | What It Covers | Typical Buyer | Vendors Active |
|---|---|---|---|
| EOL Linux distros | CVE backports for OS packages after distro EOL (CentOS, Ubuntu, Debian, etc.) | Infrastructure / platform teams with legacy hosts | TuxCare, Canonical ESM, Red Hat ELS, SUSE Multi-Linux |
| EOL app frameworks / languages | Security patches for EOL language runtimes and JS/web frameworks | Application teams on legacy PHP, Node.js, AngularJS, etc. | HeroDevs, TuxCare, OpenLogic |
| EOL Java | JDK builds and security patches beyond vendor JDK EOL | Teams running legacy JDK versions in production | Azul, TuxCare, OpenLogic, Red Hat |
| EOL Windows / Microsoft | Microsoft-only Extended Security Updates for Windows Server, SQL Server, and Windows client | Enterprises on legacy Windows infrastructure | Microsoft ESU (sole source) |
| Databases | Security patching for EOL database engines and versions | Teams unable to upgrade database major versions quickly | TuxCare, OpenLogic, Azul (Java-adjacent), Red Hat ELS |
Where endoflife.ai fits: we track the EOL dates and risk exposure across 460+ products and match teams with the right provider for their specific coverage need — free, no obligation. We don't sell extended support ourselves; we route you to the vendor suited to your stack.
Free · no obligation · we match you with the right provider
EOL Linux Distros
This is the most mature corner of the extended-support market. When a distribution like CentOS, Ubuntu LTS, or Debian reaches EOL, its package repositories stop receiving security fixes, but the binaries themselves keep running exactly as before — which is precisely why this category exists. Vendors here backport CVE fixes into the existing package set without requiring a distro upgrade, so the honest tradeoff is: you avoid the disruption of an OS migration in the short term, but you're paying an ongoing fee for a distribution that will eventually need to be replaced anyway, and CVE coverage scope varies by vendor and package set — verify what's actually included before assuming full parity with the original vendor's patch stream.
Running an EOL Linux distro?
Get matched with a provider suited to your distro and version.
EOL App Frameworks & Languages
This category covers EOL language runtimes (like PHP 7.x) and EOL frontend/backend frameworks (like AngularJS). It's a newer, faster-growing part of the market than Linux ESU, largely because modern web applications accumulate framework-version debt quickly and rewrites are expensive. The honest tradeoff here is sharper than in Linux: framework-level patching is inherently narrower in scope than OS-level patching, since a framework vendor is backporting fixes into application-layer code rather than isolated OS packages, so due diligence on exactly which CVE classes are covered matters more in this category than almost any other.
Running an EOL framework or language runtime?
Get matched with a provider suited to your stack.
EOL Java
Java has a distinct extended-support ecosystem because of how JDK distributions work: several vendors ship their own OpenJDK builds with independent support timelines, so "EOL Java" can mean different things depending on which JDK distribution you're actually running. Vendors in this space typically offer both continued JDK builds and CVE patching for versions the original distributor has stopped supporting. The tradeoff to weigh honestly: switching JDK vendors entirely (rather than buying extended support for your current one) is sometimes the simpler and cheaper path, since JDK compatibility across vendors is generally strong — extended support is most valuable when you're locked to a specific vendor's build for certification or contractual reasons.
Running an EOL Java version?
Get matched with a provider suited to your JDK distribution.
EOL Windows / Microsoft
This category is structurally different from the rest: for Windows Server, Windows client, and SQL Server, Extended Security Updates are sold only by Microsoft — there is no third-party vendor offering an equivalent, sanctioned patch stream for the underlying OS or database engine itself. The honest tradeoff is narrower than elsewhere in this market: your real decision isn't which vendor to pick, it's whether to buy Microsoft's ESU program (via Azure Arc or volume licensing), migrate to a supported version, or move the workload to a cloud platform where the version-lifecycle problem is handled for you. Third-party extended-support vendors do operate around the edges of the Microsoft ecosystem — for software running on top of Windows, for instance — but not for Microsoft's own ESU-gated products.
Running EOL Windows Server, Windows client, or SQL Server?
Get matched with the right path for your Microsoft stack.
Databases
Database extended support spans open-source engines (MySQL, PostgreSQL, MariaDB) and, indirectly, database-adjacent Java runtimes where the database itself runs on a JVM. The buying calculus tends to be more conservative here than in other categories, because databases sit closer to the data itself — teams weigh the operational risk of an unpatched database engine against the operational risk of a major-version upgrade that could affect query behavior or compatibility with existing application code. The honest tradeoff: extended support buys time to test a database upgrade properly rather than rushing it, but it doesn't reduce the eventual migration effort — it only delays it.
Running an EOL database version?
Get matched with a provider suited to your database engine.
Frequently Asked Questions
What is an extended-lifecycle-support vendor?
A company that continues shipping security patches for software after its original vendor has stopped — for a fee. Coverage typically includes CVE-driven backports for a defined period after end of life, without requiring an upgrade to a newer, supported version.
Is extended support the same across every category?
No. Coverage, pricing models, and typical buyers differ significantly between EOL Linux distributions, app frameworks and languages, Java, Windows/Microsoft ESU, and databases. A vendor strong in one category is not automatically the right fit for another.
Does endoflife.ai sell extended support directly?
No. endoflife.ai tracks end-of-life dates and risk exposure across 460+ products and matches teams with an appropriate extended-support or migration provider. The matching is free and comes with no obligation.
How do I know if I need extended support instead of just migrating?
It depends on your risk window and the workload's exposure. If a migration can complete before compliance or security risk becomes unacceptable, migration alone may be sufficient. If not — especially for compliance-critical or internet-facing workloads — extended support is typically used as a bridge while migration proceeds.
Ready to find the right extended-support provider for your stack?
We track the dates and match you with the right provider for your situation.