Not sure about the bios update part but Intel has the reputation of having numerous vulnerabilities recently found and they have fixes that you install in the os that some say take a hit on performance. Others say not enough of a hit to worry about.

Amd also had some found but last I heard Intel had more.

These patches mainly hurt performance in very specific workloads such as virtualization. In gaming the performance impact is little to none.

Intel CPUs suffer from more bugs which aren't fixable via microcode updates. Hyper Threading for example, it's also exploitable and the only "fix" is to disable it. Disabling Hyper Threading will hurt performance in heavy multi-threaded workloads.

You don't have to get the latest microcode via BIOS updates, the OS can also load in CPU microcode.

Originally posted by Omega:

Intel CPUs suffer from more bugs which aren't fixable via microcode updates. Hyper Threading for example, it's also exploitable and the only "fix" is to disable it. Disabling Hyper Threading will hurt performance in heavy multi-threaded workloads.

Does this matter that since Coffee Lake (core i 9-th generation) Intel CPUs have hardware (not microcode) protection for some side-band attacks and mixed hardware+firmware for most others? So, only several vulnerabilities had pure software patches since i-9xxx.
But AMD quickly narrowed the gap when it released very good Ryzen 3xxx (first really good AMD CPUs in last decade). But not for a long. Latest Intel generation (alas, mobile only yet) seems is most invulnerable to side-band attack CPUs today.
However, spectre v1 (CVE-2017-5753) still stay a problem to both CPU manufacturers.

Originally posted by Omega:

These patches mainly hurt performance in very specific workloads such as virtualization. In gaming the performance impact is little to none.

In native gaming, should I add, because in example I've got a game I really like which I play via BlueStacks which takes advantage of virtualization.

On Intel side... maybe.

As for AMD side, in the coming month, many motherboard manufacturers will push out new BIOS (using new microcode) with 100 features and improvements.

Depending on the usage of the computer, it may be that the microcode patch is not really that big of a deal anyway.

There are too many systems to count that aren't going to get patched; the world hasn't ended for them or their owners, but it's possible the machines are mining bitcoins without the owner's being aware of it as a result of internet misadventure.

That's not to suggest you should avoid getting patches if they are available. As others have stated, a typical PC with typical CPU and storage connectivity might not be objectively visible as to performance detriments.

Subjectively, there are people that will blame the game developer for the coil whine the microcode is causing them, because they don't know how anything works so they blame the wrong things anyway and the microcode update doesn't change that fact.

Most of these bios patches, if the vendor makes them available, are something that can be undone--For example, Windows update also had a lot of patches for those systems with CPUs that could apply a microcode via software at system boot, if not in the hardware. These all can be reversible if the performance drop is severe (but it may take some effort to roll back the patch since the vendors are somewhat ostentatious about it--if it sucks, we're all welcome to buy new hardware, after all.)

A new Linux system I set up automatically pulled the microcode as part of an OS update and applies it at each bootup, but could be readily disabled there if so desired as well. That means on the same system, one OS can have the patch and the other not. It's a good way to test performance between microcodes if the underlying OSes are similar, too.