a question about images and how they update

let’s say I have made an image based on the official ubuntu:14.04.

From my understanding so far (still pretty basic) it’s a best practice not to update the system inside a container but instead sort of ‘replace’ the base system once in a while (so the updates to ubuntu will come through that updated ubuntu:14.04 image)

now my question is how that practically is being done. Let’s take the recent glibc problem. Would I wait till ubuntu:14.04 is newly build and re-build command my own image (based on that ubuntu:14.04)?
Or is pulling the updated ubuntu:14.04 already enough while docker does it’s magic somehow without me even noticing maybe?