While it is now obvious that both processor makers, as well as other companies, are looking to minimize the effect of the recently discovered Meltdown and Spectre security issues, it appears that the performance hit will be more than minimal, depending on the actual workload.
While Intel claims that any performance impacts are workload-dependent and should not be significant or noticeable by an average user, the situation is a bit different on servers.
The best example is the Epic Games game publisher which experienced login and stability issues due to updates on its cloud services.
According to Red Hat, the performance impact for Meltdown and Spectre security patches, also known as CVE-2017-5754, CVE-2017-5753, and the CVE-2017-5715 could be anywhere between one and twenty percent. The highest impact was noticed on OLTP Workloads (tpc), sysbench, pgbench, netperf (< 256 byte), and fio (random I/O to NvME) workloads.
Other companies are reporting a performance hit as high as 45 percent on some IO intensive applications as well as on some cryptocurrency mining, like the Monero.
Microsoft, which patched most of its Windows OS versions, including the Windows 7, Windows 8, Windows 10 as well as Windows Server 2008 R2, 2012 R2, and Windows Server 2016, has went official to note that users can expect a performance hit on Intel CPUs based on Haswell and older CPU architectures. On the AMD side, which CPUs are not affected by Meltdown, Spectre patch for Windows caused instabilities, but only on Athlon-based systems and should be fixed soon.
One thing that can help Intel is the PCID (Processor-Context ID) feature that is present on Intel CPUs since 2010 can reduce the performance hit. According to a post by Gil Tene, CTO and co-founder of enterprise Java biz Azul Systems, PCID has now become critical for both security and performance on Intel’s x86 platform, which is enabled by Windows but not on kernel-based virtual machines and some AWS instances.
In any case, Meltdown and Spectre bugs have certainly shaken the processor and server industries and companies, and while analysts are still gathering data, some sources estimate that damages to server companies will be huge.