The motivation of my question is simple: Unfortunately Oracle stopped development of Java 6 and will not provide any additional build. If Oracle will discover any security issue they will fix it only in Java 7. We have big project that developed in Java 6 and I do not have resources to convert it to Java 7.
So, I want to compile the code in last build of JDK 6 (6u45) and to run it in most updated build of JDK 7.
Is in this case my byte code will be open to vulnerability fixed in JDK 7?
Added
The example of Oracle Java SE Critical Patch Update: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Unfortunately, the next security patches will be not be applied to JDK 6.
So, the updated question is: Should I run my code using the latest JRE 7 without recompile my Java 6 byte code? Or should I recompile my code using latest JDK and also to run it using the latest JRE?
If the vulnerabilities are in the virtual machine or the API, it isn't open to the vulnerability if you run it with Java 7. If it is in the compiler, you can fix the vulnerability by compiling it with Java 7.