Upgrading apache without upgrading Ubuntu?

If all you're looking to do is get some security updates, then don't worry about it - as long as you have a standard installation and you run:

apt-get update
apt-get upgrade

You'll get the updates from the karmic-security APT repository. It's Ubuntu's policy to not change the version of a package once released, but they will backport security updates from later releases as necessary. There are a handful of exceptions to this policy (Firefox being the most notable) but Apache2 isn't one of them.

In fact, if you look at the apache2 karmic package page, you'll see the current version is noted as "security" and if you view the changelog you'll see they've already backported the security issues.

If you're really interested in getting a later version without upgrading, you should read the Ubuntu Backports wiki page. There are a number of different options available, from re-building your own packages to using the Ubuntu backports repository to get some later packages.

Well technically you could do that by adding a deb line in /etc/apt/sources.list for lucid (here's an example) :

deb http://archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse

Then apt-get update and apt-get install apache2 (to update Apache2 only). But there's absolutely NO WARRANTY AT ALL that the update won't break your Apache2 installation, or something else in the system (missing library, wrong link...).

Needless to say you shouldn't do that on a production server :)

If the update is really critical for your system, you should remove the existing package and compile Apache2 by yourself (or better, create a package using checkinstall which will be easily uninstallable later).