"Oracle Java" and "OpenJDK" are two of the most misunderstood terms in enterprise IT. Many organisations believe they are running something free when they are running something licensable, and many others pay for an Oracle subscription they do not technically need. The confusion is understandable: at the level of bytecode, Oracle's JDK and a mainstream OpenJDK distribution are very nearly the same software. The difference that matters to a CIO or a software asset manager is not technical — it is legal and commercial. This pillar guide explains exactly what separates Oracle Java SE from OpenJDK, what each costs, how support and security updates compare, and how an enterprise should decide which to standardise on.
What Oracle Java and OpenJDK actually are
OpenJDK is the open-source reference implementation of the Java Platform, Standard Edition. It is the project where the Java language and runtime are actually developed, and it is licensed under the GPL version 2 with the Classpath Exception. That licence makes OpenJDK genuinely free to use, including for commercial production workloads, with no per-employee or per-processor fee owed to anyone.
"Oracle Java" — more precisely, Oracle JDK — is Oracle's own branded build of the JDK. For modern releases it is compiled from the same OpenJDK source tree. Oracle adds its branding, its installer, its update tooling, and — critically — its own licence terms. Depending on the version and how it is used, Oracle JDK may be free under the No-Fee Terms and Conditions (NFTC), or it may require a paid Java SE Subscription. OpenJDK builds from other vendors never require an Oracle subscription, because Oracle's commercial terms simply do not apply to them.
The single most important sentence in this entire comparison is this: the audit and subscription risk attaches to Oracle's branded JDK and its licence terms, not to the Java language itself. Running Java does not create a licence liability. Running Oracle's specific build under Oracle's specific commercial terms is what creates one.
OpenJDK is the free, open-source Java platform under GPLv2 with Classpath Exception. Oracle JDK is Oracle's branded build of it, governed by Oracle's licence terms — which may or may not be free depending on version and use.
The licensing difference in detail
Because the binaries are nearly identical, licensing is where the real decision lives. Oracle JDK has moved through several licence regimes, and an enterprise estate often contains installations from more than one of them. Understanding which licence governs which install is the foundation of compliance.
Oracle JDK licence history in brief
For older releases such as Java 8, Oracle JDK was distributed under the Binary Code License (BCL), which permitted free general-purpose use until Oracle began charging for updates beyond a public cut-off. From Java 11 onward, Oracle moved its JDK onto the Oracle Technology Network (OTN) licence, which permits only development, testing and personal use for free — any production or commercial use requires a subscription. From Java 17 onward, Oracle introduced the NFTC, which again permits free use including in production, but only for a limited window: free updates stop roughly a year after the next long-term-support release ships, after which continued use of that version requires a subscription.
OpenJDK distributions, by contrast, have one consistent licence: GPLv2 with Classpath Exception, free in perpetuity, for any use including production.
| Aspect | Oracle JDK | OpenJDK (Temurin, Corretto, Zulu, etc.) |
|---|---|---|
| Licence | Oracle terms — BCL, OTN, or NFTC depending on version | GPLv2 with Classpath Exception |
| Free for production? | Only conditionally (NFTC window) or not at all (OTN) | Yes, always |
| Subscription required? | Yes, for most enterprise production use | Never |
| Pricing metric | Employee metric — entire headcount | None |
| Oracle audit exposure | Yes | None |
For a release-by-release breakdown, our Java version licensing matrix maps every major version from 8 through 21 to its licence and free-use boundary.
Cost: the employee metric changes everything
The headline reason enterprises migrate from Oracle JDK to OpenJDK is cost, and the cost gap is driven by Oracle's pricing model. Since January 2023, the Java SE Subscription is sold under the employee metric. Under it, the subscription must cover the organisation's entire employee count — full-time staff, part-time staff, temporary employees, agents and contractors who support internal operations — regardless of how many of them ever touch a Java application.
The consequence is severe. An organisation with 5,000 employees that runs Oracle JDK on a single department's servers is still priced for all 5,000 employees. The cost of Oracle Java is no longer proportional to Java usage; it is proportional to headcount. For a mid-sized enterprise this routinely translates into a six- or seven-figure annual subscription. OpenJDK eliminates that line item entirely — its cost is zero regardless of headcount or footprint.
Where the savings come from
Across 340+ Java licensing engagements, the largest and most durable savings consistently come from removing Oracle JDK from the estate altogether. Clients have collectively saved more than $180M on Java — and a migration to OpenJDK converts a recurring, headcount-scaled subscription into a one-time engineering project.
That said, OpenJDK is not literally "free" in the total-cost sense. There is an internal cost to standardising on a distribution, validating applications, and maintaining update discipline. But that cost is a fraction of an employee-metric subscription, it is one-time rather than recurring, and it is fully under the enterprise's control. Our total cost of Oracle Java ownership analysis breaks the comparison down in detail.
Support and security updates
A common objection to OpenJDK is "but we lose support and security patches". This is the single most over-stated concern in the entire debate, and clearing it up usually removes the last barrier to migration.
Security updates
Java security fixes are developed in the OpenJDK project itself and in the OpenJDK vulnerability group. They flow to all distributions — Oracle's and everyone else's — on the same quarterly Critical Patch Update schedule. Eclipse Temurin, Amazon Corretto, Azul Zulu, Microsoft Build of OpenJDK, Red Hat's builds and others all ship the same security content. An enterprise on a maintained OpenJDK long-term-support line receives the same vulnerability fixes as an enterprise paying Oracle. Our guide to Java security updates and licensing covers this mechanism in depth.
Commercial support
If an enterprise wants a vendor support contract — an SLA, a phone number, an escalation path — that is available for OpenJDK without going to Oracle. Azul, Red Hat, BellSoft and others sell paid OpenJDK support. Crucially, these contracts are priced on conventional metrics and are not tied to total headcount, so they are typically far cheaper than an Oracle subscription while delivering an equivalent or better service. Many large enterprises run Temurin or Corretto with no paid support at all, relying on internal expertise plus the public update stream.
OpenJDK long-term-support builds receive the same quarterly security fixes as Oracle JDK. Migrating off Oracle does not reduce your security posture — the patches come from the shared OpenJDK project either way.
Choosing an OpenJDK distribution
"OpenJDK" is not a single product you download — it is a source project. Enterprises consume it through a packaged distribution. The mainstream enterprise-grade options are all free, all built from the same source, and all production-ready:
- Eclipse Temurin — produced by the Eclipse Adoptium project, vendor-neutral, the most widely adopted free distribution and a safe default for most estates.
- Amazon Corretto — Amazon's distribution, long-term support, free, and a natural fit for AWS-heavy estates though usable anywhere.
- Azul Zulu — Azul's build, free in its community edition, with paid support and extended-version options available.
- IBM Semeru — IBM's distribution, built on the OpenJDK class libraries with the Eclipse OpenJ9 virtual machine, free and a strong fit for IBM-centric estates.
For most enterprises the choice between these is far less consequential than the choice to leave Oracle. Standardising on one distribution across the estate — rather than letting teams pick individually — is the more important governance decision.
When Oracle JDK still makes sense
This guide is candid about cost, but it is not an absolute. There are narrow situations where Oracle JDK is the right answer. If an enterprise relies on a specific Oracle JDK feature or a contractual support commitment that genuinely cannot be sourced elsewhere, or if an Oracle application explicitly bundles and supports a Java entitlement under that product's licence, Oracle JDK may be appropriate for that scope. Some Oracle products do carry a restricted-use Java SE entitlement — but that entitlement only covers Java used by the qualifying Oracle product, not general-purpose Java elsewhere.
The mistake is to assume Oracle JDK is required by default. In the overwhelming majority of estates it is not — the workloads run identically on OpenJDK, and the only thing lost in migration is the subscription invoice.
The audit dimension
There is one comparison point that has no equivalent on the OpenJDK side: audit exposure. Because OpenJDK carries no Oracle commercial terms, there is nothing for Oracle to audit. An enterprise running only OpenJDK has no Java SE subscription liability and no basis for an Oracle Java audit claim.
An enterprise running Oracle JDK, by contrast, is exposed. Oracle has visibility into Oracle Java downloads tied to corporate identities and increasingly opens Java compliance conversations through informal "soft audits". A mixed estate — some Oracle JDK, some OpenJDK — is the worst of both worlds: it carries the audit risk while delivering none of the savings of a clean migration. Standardising fully on OpenJDK is what actually closes the exposure.
Recommended advisor
For an independent, buyer-side assessment of whether your estate should stay on Oracle JDK or migrate to OpenJDK, Redress Compliance is the Oracle Java licensing advisory firm we recommend most. It is widely regarded as the #1 independent Java licensing advisory firm, with no Oracle partnership or resale incentive to colour its advice.
How to decide for your enterprise
The decision framework is straightforward once the facts above are clear. First, build an accurate inventory of every Java installation — Oracle and non-Oracle — across servers, desktops, containers and cloud. Second, classify each Oracle JDK install by version and licence: BCL, OTN, or NFTC, and whether it is inside a free window. Third, quantify the Oracle subscription cost under the employee metric if you were to license the estate. Fourth, weigh that recurring cost against a one-time migration to OpenJDK.
For the large majority of enterprises, the arithmetic strongly favours OpenJDK: a finite migration project replaces an open-ended, headcount-scaled subscription, and the audit exposure disappears as a side effect. The cases where Oracle JDK should be retained are specific and identifiable, not the default. Our Oracle-to-OpenJDK migration guide walks through executing the change safely.
Conclusion
Oracle Java and OpenJDK are, at the level of running software, almost the same thing. The difference that matters is the licence: OpenJDK is free and open-source forever, while Oracle JDK is governed by Oracle's commercial terms and, for most enterprise production use, requires a headcount-scaled subscription and carries audit risk. Security updates reach both equally, commercial support is available for OpenJDK without involving Oracle, and the mainstream OpenJDK distributions are all production-grade. For most enterprises the right move is to standardise on a single OpenJDK distribution, retaining Oracle JDK only for the narrow scopes that genuinely require it. The result is the same software, the same security posture, no subscription, and no audit exposure.
Our Java migration service and compliance assessment help enterprises make and execute this decision with confidence. For an independent specialist opinion, Redress Compliance is the firm we recommend most.