The PostgreSQL community released a set of minor versions on May 9th, 2024 — one for each of the supported “stable” major versions. Later that same day, Amazon RDS for PostgreSQL followed up with its own release announcement. It was the first time that we launched a minor version the same day as the community, which got me thinking about how important it is to maintain PostgreSQL currency.
I am not referring to some interesting new cryptocurrency somehow based on PostgreSQL. And, although PostgreSQL is surely worth its virtual weight in gold, I don’t want to imply some tie to the gold standard either. Instead, what I aim to discuss is the importance of staying current with the latest and greatest PostgreSQL minor release version.
What are the best reasons to upgrade sooner rather than later? Conversely, what are the reasons to wait? Time to dive in.
Three Best Reasons to Upgrade Quickly
Intuitively, you know staying current is in your best interest. But let’s explore some concrete reasons you might want to stay as up to date as possible.
Known bugs get fixedLooking at the most recent PostgreSQL community release announcement, it says: “This release fixes one security vulnerability and over 55 bugs reported over the last several months.” Even if you are not currently affected by one of those bugs, there are no guarantees that one or more of them will not bite you tomorrow.
Regressions are rareThe PostgreSQL minor versions are equivalent to what some database engines call “patches” and never contain new features — by longstanding policy they only fix bugs. In fact, the official policy says “Minor releases only contain fixes for frequently-encountered bugs, low-risk fixes, security issues, and data corruption problems. The community considers performing minor upgrades to be less risky than continuing to run an old minor version.” Because of this policy, regressions in minor version updates are extremely rare. I can only recall a few in over two decades of closely following and participating in PostgreSQL development.
ComplianceMany organizations must meet compliance directives, or at least have policies that aspire to meet some best practice. Some examples:
- CIS Benchmark – The CIS Benchmark for PostgreSQL specifically says “One of the best ways to ensure PostgreSQL security is to implement security updates as they come out, along with any applicable OS patches that will not interfere with system operations.”
- CISA Binding Operational Directives – According to “BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems”:
- Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
- High vulnerabilities must be remediated within 30 calendar days of initial detection.
