This question is asked fairly often, most recently here.
Please read this recent post which provides guidance on how often, and how to perform an update.
The user guide has the procedure to follow: Upgrading exiting versions:
-
Ian advises making a backup and trying the upgrade in one go first, and if you have any trouble, try again in two steps or more.
-
I advise to check the “notes on specific versions”. This shows the key change and answers your " known compatibility changes" that should be checked.
-
GeoServer community has capacity to support releases for year as outlined in our security policy. Any release older than should be considered vulnerable. If your release falls outside of this timeframe you are “unpatched”. We have recently started using the CVE system to help communicating specific vulnerabilities.
-
The announcements have “Security Consideration” if vulnerabilities are addressed, or you may directly review the published security advisories.
The above information can be used to highlight the value of updating with your stakeholders. Set the expectation of updating each year, or working with a service provider.
Context: A sustainable open source project requires time: your time if you choose to participate (help with docs or testing); or someone else time (if you wish to contact one of our support providers ). There is a also an active crowdfunding activity to update components to meet security objectives.