Hi Christian, I'd say that the CPUs aren't perfectly uniform in terms of capabilities and microcode patches. "ssbd" is a speculative store bypass, as far as I know and if your host doesn't have the µ-code patches installed but your cluster definition has them (based typically on the machine used to install the hosted-engine), then you either need to lower your base in the hosted-engine VM (and restart it), or patch the host so it delivers on the mitigation. All this Spectre stuff is creating quite a bit of extra work and I try to just keep them out of my clusters, because I have no potential for hostile workloads on them (nor data worth exploiting). But it's clear that production environments with compliance requirements need to manage this carefully.