They're both kinda dumb though. Updating will create a new layer, but the old binaries will still be a part of the image as part of the history.
The only correct way is to either rebuild the base image from scratch or just fetch a new base image.
My suggestion would be the latter, just run docker pull again for the baseimage and use that, without running update.
The nonsensical one would be do-release-upgrade.