diff -u b/core/modules/update/tests/src/Functional/UpdateContribTest.php b/core/modules/update/tests/src/Functional/UpdateContribTest.php
--- b/core/modules/update/tests/src/Functional/UpdateContribTest.php
+++ b/core/modules/update/tests/src/Functional/UpdateContribTest.php
@@ -557,13 +557,9 @@
         'expected_update_message_type' => static::UPDATE_NONE,
         'fixture' => 'sec.8.x-1.2_8.x-2.2',
       ],
-      '8.x-2.0, 8.x-1.2 8.x-2.2' => [
-        'module_patch_version' => '8.x-2.0',
-        'expected_security_releases' => ['8.x-2.2'],
-        'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
-        'fixture' => 'sec.8.x-1.2_8.x-2.2',
-      ],
       // @todo In https://www.drupal.org/node/2865920 add test cases:
+      //   - 8.x-2.0 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that 8.x-2.2
+      //     is the only security update.
       //   - 8.x-3.0-beta1 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that
       //     8.x-2.2 is the  only security update.
     ];
@@ -702,9 +698,13 @@
         'expected_update_message_type' => static::UPDATE_NONE,
         'fixture' => 'sec.8.x-1.2_8.x-2.2',
       ],
+      '8.x-2.0, 8.x-1.2 8.x-2.2' => [
+        'module_patch_version' => '8.x-2.0',
+        'expected_security_releases' => ['8.x-2.2'],
+        'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
+        'fixture' => 'sec.8.x-1.2_8.x-2.2',
+      ],
       // @todo In https://www.drupal.org/node/2865920 add test cases:
-      //   - 8.x-2.0 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that 8.x-2.2
-      //     is the only security update.
       //   - 8.x-3.0-beta1 using fixture 'sec.8.x-1.2_8.x-2.2' to ensure that
       //     8.x-2.2 is the  only security update.
     ];
diff -u b/core/modules/update/tests/src/Functional/UpdateCoreTest.php b/core/modules/update/tests/src/Functional/UpdateCoreTest.php
--- b/core/modules/update/tests/src/Functional/UpdateCoreTest.php
+++ b/core/modules/update/tests/src/Functional/UpdateCoreTest.php
@@ -314,14 +314,6 @@
         'expected_update_message_type' => static::UPDATE_NONE,
         'fixture' => 'sec.0.2-rc2',
       ],
-      // Ensure that 8.0.2 security release is not shown because it is earlier
-      // version than 1.0.
-      '1.0, 0.2 1.2' => [
-        'site_patch_version' => '1.0',
-        'expected_security_releases' => ['1.2', '2.0-rc2'],
-        'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
-        'fixture' => 'sec.0.2-rc2',
-      ],
     ];
     $pre_releases = [
       '2.0-alpha1',
@@ -355,6 +347,14 @@
         'expected_update_message_type' => static::UPDATE_NONE,
         'fixture' => 'sec.0.2-rc2',
       ],
+      // Ensure that 8.0.2 security release is not shown because it is earlier
+      // version than 1.0.
+      '1.0, 0.2 1.2' => [
+        'site_patch_version' => '1.0',
+        'expected_security_releases' => ['1.2', '2.0-rc2'],
+        'expected_update_message_type' => static::SECURITY_UPDATE_REQUIRED,
+        'fixture' => 'sec.0.2-rc2',
+      ],
     ];
     $pre_releases = [
       '2.0-alpha1',
diff -u b/core/modules/update/update.compare.inc b/core/modules/update/update.compare.inc
--- b/core/modules/update/update.compare.inc
+++ b/core/modules/update/update.compare.inc
@@ -5,13 +5,13 @@
  * Code required only when comparing available updates to existing data.
  */
 
-use Drupal\Component\Version\Constraint;
-
 /**
  * Determines version and type information for currently installed projects.
 use Drupal\update\ModuleVersion;
 use Drupal\update\ProjectCoreCompatibility;
 
+use Drupal\Component\Version\Constraint;
+
 /**
  * Determines version and type information for currently installed projects.
  *
@@ -417,14 +417,7 @@
     // See if this release is a security update.
     if (isset($release['terms']['Release type'])
         && in_array('Security update', $release['terms']['Release type'])) {
-      // Only recommend security updates if their version is greater than the
-      // existing version.
-      $constraint = new Constraint("> {$project_data['existing_version']}", \Drupal::CORE_COMPATIBILITY);
-      // Remove the major version prefix, for example '8.x-', if any.
-      $constraint_testable_version = str_replace(\Drupal::CORE_COMPATIBILITY . '-', '', $release['version']);
-      if ($constraint->isCompatible($constraint_testable_version)) {
-        $project_data['security updates'][] = $release;
-      }
+      $project_data['security updates'][] = $release;
     }
   }
 
@@ -482,7 +475,14 @@
     // See if this release is a security update.
     if (isset($release['terms']['Release type'])
         && in_array('Security update', $release['terms']['Release type'])) {
-      $project_data['security updates'][] = $release;
+      // Only recommend security updates if their version is greater than the
+      // existing version.
+      $constraint = new Constraint("> {$project_data['existing_version']}", \Drupal::CORE_COMPATIBILITY);
+      // Remove the major version prefix, for example '8.x-', if any.
+      $constraint_testable_version = str_replace(\Drupal::CORE_COMPATIBILITY . '-', '', $release['version']);
+      if ($constraint->isCompatible($constraint_testable_version)) {
+        $project_data['security updates'][] = $release;
+      }
     }
   }