Offline Root CA Maintainance Best Practice Query.

Dear All,

We have two tier CA architecture in our Enviornment. A Offline Root CA and
an online issueing CA. We have kept the Offline Root CA on a VM. The VM is
turned off. But all Servers in our enviornment are patched with latest
security patches. Is it necessary to patch the Root CA Server(offline) ? What
is the best practice for patching and antivirus definition update on offline
Root CA ?