Do subscribers typically bundle security updates, regression testing, and deployment to production in batches?

For subscribers who cannot deploy new code to Production on-demand for various reasons, a quarterly release timeline generally works well. The quarterly release timeline gives you time to shift resources and schedule your testing and deployment accordingly. Some subscribers require immediate deployment of all security changes, in which case the update may need to be self-applied and deployed.

Generally, the RA team can neither prioritize certain subscribers over others, nor predict when RA semi-automated scripts will reach certain subscriptions in RA’s list. Depending on the complexity of the update and number of subscribers responding to pending updates, one update may allow you to have your update applied and deployed to your RA environment within a few days, while another update could take one to two weeks.

We recommend you test core updates first, and then apply and test module security updates one at a time. This approach ensures core security, and saves effort if you encounter issues that require reverting the changes module-by-module.

In the case of particularly hazardous Drupal core updates, we will note in our communications you must deploy them as soon as possible, and explain why. If we are aware of a particularly hazardous module security update, we will also notify subscribers. This scenario happens less frequently, and the responsibility of monitoring is with the subscribers who are using specific modules.