Security release numbers and release timing

Last updated on
22 February 2023

Release numbers

Security releases of Drupal core and contributed projects currently use the normal version numbering scheme, with no special indication in the release number that a security fix is included.

For example, Drupal 7.1 was a security release, and Drupal 7.2 was a bug fix release made afterwards (containing no new security fixes besides those already released in Drupal 7.1).

The reason this approach was taken is that there is a large chunk of code that has a dependency on these version numbers, including Update Status and Update Manager modules in 6.x and 7.x, Drush, localize.drupal.org, the release packaging system, and so on.

A disadvantage of this approach, of course, is that it's not immediately clear which release is which. However, keep in mind that this information is readily available from the release notes (notice the "Security update" tag on the Drupal 7.1 release notes, for example) as well as from the list of security advisories for Drupal core and contributed projects and various other places, such as the Update Manager module within your Drupal site.

Release timing

Security release "windows" are every Wednesday for Drupal contributed projects, and one Wednesday a month (usually the third Wednesday) for Drupal core. We generally do not release contributed project security issues on same day as core unless the core fix should also be in contributed project. For example, a bug in core that affects Views for Drupal 10 which also affects the contributed module Views for Drupal 7 should have a core release for Drupal 10 and a contributed module release of Drupal 7 on the same day.

A release window does not necessarily mean that a release will actually be made on that date, but it exists so that site administrators can know in advance which days they should look out for a possible security release. (Also, in the unusual case of a highly critical security issue, such as one which is being actively exploited in the wild, releases may be made outside of the normal window.)

Security releases happen between 16:00 UTC and 22:00 UTC.

You can view all release windows (and all other core meetings) on this calendar.

Drupal core

For Drupal core, the current policy for security releases is that they occur on a different date than the monthly bug fix/feature release window:

  • Bug fix/feature release window on the first Wednesday of the month
  • Security release window on the third Wednesday of the month

Whenever a security release is created, it contains just the security fixes applied to the previous Drupal core release. The next bug fix/feature release, when it happens, will contain the previous security fixes plus all other fixes in the branch to date.

This approach is intended to allow site builders to upgrade immediately once a security hole is found, without the difficulty of wrangling patches, and without the terror of accidentally breaking their sites by pulling in other upstream changes that have not been widely tested yet.

Contributed projects

Currently, at least, Drupal contributed projects may not always follow the above policy. For example:

  • There may be still be two releases (a security release and a bug fix/feature release) but with both released on the same day. (Up until October 2012, Drupal core did both on the same day also.)
  • Or, there may be only one release, which contains both the security fix and bug fixes/features together, and which may therefore require more careful testing before it is deployed to production websites.

You can always check the release notes for a particular security release for more information about what exactly it contains.

Help improve this page

Page status: No known problems

You can: