With the introduction of the new release cadence, the Java community has made good on its promise to deliver innovation at an accelerated pace. Starting with the release of JDK 9 back in September 2017, today, 19 March 2019, marks the general availability (GA) of JDK 12 -- the fourth such six month release that has arrived, without slippage, on its expected delivery date. For those wishing to adopt these new releases as they become available, one of the more common concerns revolves around the apparent lack of overlap between releases. That is to say, once a six month release begins its support and update lifecycle, the previous version ends abruptly.
From a security perspective, there actually is an overlap. The GA date for the six month releases are deliberately placed in between planned quarterly updates (scheduled each year in January, April, July and October). As a result, there is about a month's time where both old and new releases are at the same security baseline. If we use JDK 12 as an example, introduced on 19 March, it will not receive a security update until 16 April. In the interim, there is no security difference between JDK 11 and JDK 12. That duration can serve as a transition and testing period where staying on JDK 11 does not sacrifice any security posture. The same overlap principle will hold true as newer JDK releases are introduced.
Additionally, in order to further assist in the transitioning between releases, early access builds are accessible far in advance of their GA date. For example, early access versions of JDK 13 have been available since February 2019, affording developers and testers many months of advance preparation before its planned September 2019 release date.
Perhaps less than ideal, the combination of having a month's worth of security baseline equivalence between old release and new, plus advance access to newer releases should assist those following the continuous integration paradigm with Java releases.