I'm not sure whether I should be putting this on the Solaris 10 or the Solaris 11 discussion since Solaris 10 branded zones run on top of Solaris 11 but I decided to put it here. I also apologize is this is clearly documented somewhere but if it is I've not found it.
Once I've moved a Solaris 10 system or zone to a "Solaris 10 branded zone" how do I maintain it. As far as I can determine, I cannot apply maintenance updates to it (ie. go from Solaris 10 9/10 to Solaris 10 8/11). Attempts to apply the associated patch bundles seem to fail in the checking out the system code. So it appears that I'm stuck with simple patching. It also appears that you can't use Live Upgrade which means that you might destabilize the zone during patching which makes it awkward if you need to maintain uptime. Furthermore, if appears that backing out the kernel patch in the zone (on Intel at least) can clobber libc.so.1 which clobbers the zone (thank heaven for ZFS snapshots - rollback!).
What is the safest way to patch these zones? Yes, I could recreate the zone from a Solaris 10 system but I'm thinking down the road where we're running Solaris 11 and Solaris 10 exists only in zones.