Keeping your Spree installation up-to-date is essential to keep it safe and secure. Each Spree version brings new features, enhancements and bug fixes so it's greatly beneficial for you and your clients to upgrade frequently.
The upgrade process is fairly easy and well described. Of course, it all boils down to the level of customizations and the way you've customized your Spree applications.
We strongly advise upgrading Spree incrementally, rather than in one big go.
If you're stuck and would want to get some professional help, you can contact us directly and request a quote for our consulting services.
Spree development follows a shifted version of Semantic Versioning:
Patch Z, eg. 4.2.1
Only bug fixes, no API changes, no new features. Except as necessary for security fixes.
Minor Y, eg. 4.2.0
New features, may contain API changes (Serve as major versions of Semver). Breaking changes are paired with deprecation notices in the previous minor or major release.
Major X, eg. 4.0.0
New features, will likely contain API changes. The difference between Spree minor and major releases is the magnitude of breaking changes and is usually reserved for special occasions.
Our Security policy is described here.
When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. We may provide backports of some critical security fixes.