Sometimes I don't want to update everything on my Ubuntu, but I want to keep it up to date with all patched security holes. At the same time I don't like when updates happen automatically, like Ubuntu documentation suggests.

This is the way to apply only security fixes:

1. Copy update sources list to a new file

sudo cp /etc/apt/sources.list /etc/apt/security.sources.list

2. Comment out everything in new file, but leave only security repositories

3. Use following command to apply updates using new file:

sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list

I created an alias in my .bash_aliases for it:

alias updatesecurity='sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list'

Now I simply type updatesecurity to stay up to date.

I found this solution via ServerFault.com