Kiel Bull

Keeping your Drupal site updated is key to its success and security. In this guide, we'll walk you through everything you need to know about Drupal updates, breaking down the essentials of core and contrib updates. Whether you're dealing with major changes, minor tweaks, or important patches, we've got you covered. Plus, we'll help you understand the importance of staying on schedule with these updates. Think of this as your go-to resource for making informed decisions about your Drupal site's maintenance and ensuring it continues to serve your needs effectively.

Drupal updates are split into two main categories: core updates and contrib updates.

Core updates address issues with and enhance the essential structural modules of a Drupal version, while contrib updates resolve issues specific to contributed modules, which extend Drupal's capabilities beyond its core features.

Core Drupal releases

There are three main types of core Drupal update:

•    Major updates - new Drupal versions that introduce substantial additional features or significant changes to those that already exist in the previous version. For example, Drupal 9.0 to Drupal 10.0.

•    Minor updates - improve the existing Drupal version with minor feature additions or enhanced functionality. With each minor update, the decimal place in the version number increases by 1, i.e., Drupal 10.1 to Drupal 10.2.

•    Patch updates - maintenance updates focused on bug fixes and fortifying security. For patch updates, a second decimal place is added, increasing by 1 with each release, i.e., Drupal 10.1.4 becomes Drupal 10.1.5.

Major update release frequency

In the past, the schedule for major releases has been inconsistent, but it has now become more standardised. Since Drupal 9, major Drupal updates are typically released every two years and are assigned three potential release windows: one in June, another in August, and a final window in December.

These windows are coordinated with the end-of-life of the Symfony software that each Drupal version is reliant on, ensuring your Drupal platform doesn’t fall behind the technology required for smooth operation.

•    The first window is an ambitious deadline contingent on steady progress with minimal delays.

•    The second window is more realistic, affording developers time to resolve teething issues with the constituent processes of an update.

•    The third window provides developers with an additional three months to definitively resolve outstanding problems and deliver a polished, functional update.

If a major update will not be complete by the June release window, it will be announced ahead of time, and the focus will shift to the August window. If the second deadline becomes infeasible, focus shifts to the final release window.

This approach maintains the flexibility required for Drupal development projects while still providing website owners something concrete to plan around.

Minor update release frequency

Minor Drupal updates are planned around major updates, meaning they too can have variable release windows. Following the release of a major update, a minor update is scheduled every six months.

Patch update release frequency

Much smaller in scope than minor updates, patches are released twice monthly via two distinct windows. The first window, focusing on bug fixes, opens at the beginning of each month - and remains open for a week. The second window, dedicated to security patch updates, usually occurs on the third Wednesday of the month.

The release window for patch updates begins at 12:00 PM (America/New York time). This corresponds to 4:00 PM GMT in the winter months (when New York is on Eastern Standard Time), and 5:00 PM in the summer months (when New York is on Eastern Daylight Time).

It’s possible for a patch update to be released outside these standard windows, but a public announcement will be made ahead of time.

Contrib releases

One of the best things about Drupal is extensive customisability. By selecting modules (the building blocks of the Drupal platform) that support specific functionalities, users can construct bespoke websites tailored to their needs.

However, as Drupal is an open-source project, not all modules come from the core development team. The Drupal community can also contribute modules for general use. These modules are referred to as contrib (contributory) modules.

Unlike core modules, contrib modules can be removed or replaced when no longer necessary or supported.

Although contrib modules are designed specifically for Drupal platforms, they’re seen as separate from the core modules of a Drupal version – and aren’t factored in to the major, minor and patch updates detailed above.

Instead, updates are developed specifically for contrib modules.

Contrib update release frequency

Contrib security updates are typically released every Wednesday evening. Generally speaking, contrib and core updates aren’t released on the same day – with one exception:

If an issue addressed by a core update is also affecting a contrib module, resolutions for both the core and contrib modules are released simultaneously.

When you should upgrade vs. when you need to upgrade

We recommend updating your Drupal platform as and when major, minor and patch updates are made available - for the following benefits:

•    Enhanced security

•    Bug fixes

•    Compatibility with new features

•    Consistent full support

•    Reduced likelihood of conflicts between modules and extensions

•    Staying ahead of issues

However, each core Drupal version remains functional until two subsequent major updates have been released. Major updates typically follow a two-year release cycle, meaning every core Drupal version has a lifespan of around four years.

Full support is provided for the first two years of a Drupal version’s lifecycle. Your platform will receive only essential maintenance and security support through years three and four. After that, support phases come to an end.

As such, you will need to have upgraded to the next core Drupal version in sequence by the release date of the major update that proceeds it. For example, the deadline for updating from Drupal 10 to Drupal 11 will arrive in mid-to-late 2026, when Drupal 12 is released.

Can I skip updates and upgrade to the latest Drupal release?


Major updates

Before updating to a new major Drupal release, it’s crucial that you first upgrade to the latest minor iteration of your current Drupal version.

The Drupal ecosystem undergoes significant changes with each major release, meaning several of the modules and features you’re currently using won’t be supported by the new version.

It may seem like less work to leapfrog Drupal versions than to update sequentially, but the manual rebuilding required to keep your website fully functional after the jump can be extremely difficult, time-consuming, and costly.

With this in mind, it’s important not to leave upgrades until the last minute. Give yourself time to cycle through all necessary Drupal versions before transitioning to the latest version.

Minor updates

Skipping intermediate minor updates and upgrading to the latest minor version of a Drupal version (e.g., Drupal 10.1 to Drupal 10.3) is sometimes possible; it depends on the particulars of the update and the guidance provided in the release notes.

To ensure a smooth transition, it’s always best to upgrade in sequence.

Patch updates

Although Drupal patch updates are smaller and more focused than minor or major releases, they’re still important and should not be skipped. Patch updates address security vulnerabilities and ensure the stability of your Drupal platform.

Adaptive handles the process on your behalf as part of our commitment to optimal platform security.

Contrib updates

We advise against skipping contrib updates, as they deliver essential security and stability improvements for your contrib modules. 

Furthermore, contrib updates are often cumaltive, meaning each update builds upon the previous ones. If you miss an update, then apply the proceeding update, it may not have the intended impact.

Our testing process & update schedule

Before any new patch or contrib update goes live on your website, we carry out a structured testing process to reduce the risk of downtime, errors, and security vulnerabilities. This process involves:

1.    Testing updates in a local development environment to ensure they work correctly

2.    Deploying updates in a staging environment to test in a more realistic setting

3.    Conducting various tests to check functionality, compatibility, performance and security

4.    Ensuring existing features still work after updates are applied

5.    Developing a rollback plan to revert changes if issues arise

We update our clients’ Drupal 10 websites monthly – once all patch and contrib updates have been made available for the month in question. 

We test these smaller monthly updates together in order to streamline our services. However, any updates that address a serious security issue will be tested immediately and applied to your Drupal 10 website once any issues are identified and resolved.