The Drupal security team publishes security updates to Drupal core and modules on Wednesdays. Usually once per month for Drupal core.
Do I actually have to test Drupal security updates?
By design, Drupal security updates should operate exactly the same way they did before the update. The only difference is that a security hole was plugged up.
During testing, clients get tired of running through their site, expecting to have the site operate exactly as it did before. (However, clients often find that no functionality has changed, but they identify functionality that doesn't operate they want it to any more.)
So, Drupal website owners ask if this testing is really necessary on their behalf.
Of course, we could implement automated tests for base functionality. (Although smaller sites don't have the budget to have us write or maintain these tests.)
Here's the reality:
- Some site owners have us do the testing and we push the security updates up to their production site ASAP.
- Some site owners have us push the security updates to a staging site and do testing themselves.
- A minority have any automated testing and even those folks test above and beyond the automation.
No matter who does the testing, we are always prepared to back off the security updates in case there is a problem.