Security and upgrading 2.2 » 2.4

I have a client on 2.2.15 and haven't upgraded since the last "critical" security bulletin says 2.2.14 was the last version needing an update. However, the announcement in the news feed says:

Important: 2.3.6 contains a security patch and is considered a mandatory update.

So I'm confused. Is the upgrade to 2.3.6 just as critical? Should I go all the way and upgrade to 2.4? I'd rather not risk breaking something on the site by doing these updates. I haven't been using MODX lately, so I don't know how risky this would be vs. leaving things as they are.

Thanks for any advice!

Some security patches are for actively exploited vulnerabilities. Others are for theoretical vulnerabilities. In any case, it is always a good idea to keep your website software, whatever it may be, upgraded to the latest version at all times.

Problems due to upgrading are very rare. It is possible to clone your site and test the upgrade. And of course a full backup before doing anything to your site is always recommended.

There is a relatively new add-on for easing the process of upgrading MODX, UpgradeMODX, as well as the Updater add-on that can be configured to notify you by email whenever there is a new version available.

Thank you Susan. I'll check out that add-on.

There are some reports that some updates from some older versions don't get one or two new fields in certain database tables. These involve a "name" field in the contexts table and a "rank" field in the categories table. See http://forums.modx.com/thread/98953/can-i-upgrade-straight-from-2-3-2-to-2-4-2 for the potential problem - these appear to be rare instances that aren't consistent enough to be tracked down, but worth keeping in mind.