Why is apt upgrade suggesting more packages to be installed when compared to apt-get upgrade?

Question

When running apt upgrade I get a different list of "NEW packages" to be installed, compared to running apt-get upgrade.

I read through some comparisons between as to what the difference between apt upgrade and apt-get upgrade may really be, but all of the articles describe them to do the same thing.

Here is what I am getting right now when running apt upgrade:

Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  linux-headers-5.4.0-47 linux-headers-5.4.0-47-generic linux-image-5.4.0-47-generic linux-modules-5.4.0-47-generic linux-modules-extra-5.4.0-47-generic motd-news-config
The following packages will be upgraded:
  base-files linux-generic linux-headers-generic linux-headers-virtual linux-image-generic linux-image-virtual linux-virtual ubuntu-server
8 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 74.2 MB of archives.
After this operation, 360 MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.

And this is my output for apt-get upgrade:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  base-files linux-generic linux-headers-generic linux-headers-virtual linux-image-generic linux-image-virtual linux-virtual ubuntu-server
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded

Ok, so there apt-get upgrade decides that it's a good idea to hold back some packages, whereas apt upgrade will happily install them. Can someone explain why this is and which upgrade path I should use if I want the latest security updates to be installed?

Answer 1

apt upgrade allows the installation of new packages by default during upgrades, whereas apt-get upgrade doesn’t. This cascades, so apt-get upgrade refuses to touch any package whose upgrade would result in the installation of a new package; this is what happens in your case.

You should use apt upgrade to ensure you have all the latest security updates. In some cases, you may even need apt full-upgrade (or apt-get ..., they are equivalent here), if the update involves removing packages. The Debian FAQ recommends the latter directly (when not using aptitude); since you’re using another distribution you should follow that distribution’s instructions.

See also apt-get upgrade holds back a kernel update. What are the official instructions for applying updates on Debian 9?

Answer 2

See man 8 apt:

upgrade (apt-get(8))
   upgrade is used to install available upgrades of all packages currently installed on
   the system from the sources configured via sources.list(5). New packages will be
   installed if required to satisfy dependencies, but existing packages will never be
   removed. If an upgrade for a package requires the removal of an installed package the
   upgrade for this package isn't performed.

This enables apt upgrade to upgrade packages where apt-get upgrade won't by installing additional packages. As mentioned in the apt upgrade output:

The following NEW packages will be installed:
  linux-headers-5.4.0-47 linux-headers-5.4.0-47-generic linux-image-5.4.0-47-generic linux-modules-5.4.0-47-generic linux-modules-extra-5.4.0-47-generic motd-news-config

Older versions of the manpage make it more explicit:

DIFFERENCES TO APT-GET(8)
The apt command is meant to be pleasant for end users and does not need to be 
backward compatible like apt-get(8). Therefore some options are different:
[...]

The option upgrade has --with-new-pkgs enabled by default.