Apt will install a package but if a service is in use the kernel still runs the old until you stop the services and restart. its just not apparent to the user. This is not live patching, live patching is when kernel will load a new patch and you temporarily have two states and during a momentary blip pass all control to new kernel…this is typically for mission critical server that can’t have downtime. Just running a regular update does not do this.