So… As @PawelP pointed out, a scheduled update occurs roughly every quarter (give or take). However, I believe Security Patches can be released at any time.
When an update is released, I like to give it a week or so before applying it to my Production environment. This allows any “hot-fixes” to be released incase it’s a bad update. And as @Mohamed_Suliman points out, this also allows you to test everything in your Development environment.
Sometimes you’ll find that you can update Magento because old/unsupported 3rd party modules hold it back due to various dependencies. This is a perfect reason why you should pay extra and purchase from reputable companies and not some kid in his bedroom who won’t be around when you really need him.
You should never wait more than 1 month to apply any patch to Magento for 2 very critical reasons:
- If it’s a security patch, then the information on your website vulnerabilities is now public.
- Under PCI DSS Compliance (Section 6.1), you will be viewed as negligent for not following security best practices. The PCI DSS governing body has the power to revoke Visa/Mastercard from allowing your business to transact. This rule would also apply to everything from 3rd party modules to PHP (and so much more)
PCI DSS Quick Reference Guide (Section 6.1)
Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Deploy critical patches within a month of release. (Ref: pcisecuritystandards.org)
Luckily, Magento added the ability for you to apply security patches without the need to do a full update to make life a little easier. (Ref: Magento Official Documentation)
In my experience, the biggest complications come from the amount of 3rd party modules you shoe-horn into to Magento. If you have to use 3rd party modules, be selective and only purchase from a Magento Technology Partner.
To summarise, aim for 2-4 weeks and don’t fall behind as it’s so much harder to catch up.
I appreciate some of this information is daunting, but I’d rather lay it all out in black and white.