Ever since the beginning, Android OTA updates have worked by patching each file on your system partition individually. With Lollipop, that is all changing, and it has some important implications for those who like to root and mod their devices.
Here's what a pre-Lollipop update script looked like:
As shown, the recovery looks at this, finds each file, checks its signature, then applies a patch to it if it matches. This is the slow way of doing things, but it had a big benefit for rooters and those who like to mod their devices. As long as none of those files were touched, you could have anything you wanted on your system partition (the "su" binary for instance, maybe an INI file for a root app, etc.) and you could still apply OTA updates successfully.
With Lollipop, this has all been turned on its head because now, the OTA script no longer patches individual files. Instead, it patches the system block directly and treats it as one enormous blob. Here's a look at the update script in a recent Nexus 9 OTA:
From a technical standpoint, the reason behind the change has to do with verified boot, which was first introduced in KitKat. Even though Google has yet to enable this feature on a Nexus device, this move seems to indicate that the company could be preparing to go that route in the future.Even outside of verified boot, though, it makes all the sense in the world to do OTAs this way. Patching the system block directly is far faster than trying to patch a lot of individual files. That said, if you're one of those who like to tinker with your devices, you'll have to flash a completely stock system image before applying an update because changing anything by so much as one byte will throw off the signature and make it so the OTA will fail.