Question: I want to use 'host-passthrough' CPU mode for Nova instances,
          but I'm worried about "what happens when CPU microcode updates
          on the Compute node?"  E.g. will I be able to live-migrate my
          instance from Compute-A with older microcode to Compute-B with
          newer microcode?

Answer:

Your worry on microcode updates and live migration is legimate:

I.e. if you're (a) using 'host-passthrough' CPU mode on both your
Compute nodes; and (b) if the host microcode is _unidentical_ on both of
those nodes, then no, you will _not_ be able to live-migrate an instance
between said Compute nodes.

And no, I will not suggest to disable microcode update on the Compute
hodes.
 
The "only" sensible solution here: make sure all the Compute nodes with
'host-passthrough' have precise, matching microcode versions, along with
identical kernel, host CPUs, and BIOS settings -- that's the trade-off
you have to make for the performance gain you get with
'host-passthrough'.  Otherwise, your live migrations will (correctly)
fail with this error:

   "Unacceptable CPU info: CPU doesn't have compatibility"

        - - -

FWIW, in my talk on "Effective Virtual CPU Configuration", I mentioned
the impact of microcode on live migration, when using
'host-passthrough'.  Refer to See slide-18:
https://kashyapc.fedorapeople.org/Effective-Virtual-CPU-Configuration-in-Nova-Berlin2018.pdf

To quote from the end of slide-18 (which talks about 'host-passthrough'):

    "Along with identical CPUs, identical kernel and microcode are a 
    must for VM live migration!"