Planning a Sitecore Upgrade: Answering Questions to Future-Proof your CMS 

By: Jeff Hansen, CTO and CISO

When implementing Sitecore, it is critical to keep watch on your support timeline.  Sitecore’s three phases of support are categorized as Mainstream, Extended, and Sustaining.  The table below itemizes the timeline and types of support for each phase as noted by Sitecore (2022). One can see the support type that is included (✓), available at an extra cost ($) or not available (-).

Support Type Mainstream  Extended  Sustaining  
Timeline for support phase, based upon product’s general availability date 3 years 6 years 8 years 
Sitecore online documentation, knowledge base, and discussion forums access ✓ ✓ ✓ 
Product version upgrades assistance  ✓ ✓ ✓ 
Production incidents assistance ✓ ✓ 
Security updates and fixes ✓ ✓ – 
Assistance with errors or unexpected behavior during installation or development ✓ – 
Hotfixes or patches for product defects ✓ – 
Compatibility fixes for supported technology platforms ✓ – – 

Will an out-of-date system still work? 

It is important to note that Sitecore is an incredibly dependable system with very few security vulnerabilities. Organizations can, in fact, successfully run their websites on versions that are many years out of date, so it’s not a matter of the system “working” or not.  Even secure systems will have the occasional security vulnerability, and if you’re off support by too long you won’t be able to get patches for that.  Sitecore also runs on underlying Microsoft infrastructure, so sometimes organization may be running Sitecore on a Microsoft server and SQL server versions that are end of life and no longer supported by Microsoft, so it’s kind of a cascading effect. Digital experiences move fast, and if you don’t keep up, you will fall behind relative to your peers and competitors; this will cost you real money.  The feature upgrades of Sitecore are where the real business value lives. It is also important to note that the upgrade can become more difficult if one is several versions behind, especially on solutions with custom code.  Although infrequent, there are sometimes breaking changes within the Sitecore kernel, which can lead to a more cumbersome upgrade path. 

Is it important to stay current with each level of support? 

From a risk management perspective, most clients want to stay in the Mainstream support phase for any product that they are using.  This provides an organization with the most coverage, the most up-to-date knowledge base, and the fastest support response times.  Some clients are comfortable with going into the Extended support phase because they can still pay for basically the same level of service, so if one budgets for that, the support impact is minimal.  Clients should most certainly avoid Sustaining support (more than 6 years old), for they start losing out on the security updates and fixes, and that’s where the real risks come in.  

What is the frequency and length of outages?  

WayPath typically conducts upgrades by standing up a parallel environment and deploying them using a blue-green method that minimizes or eliminates any downtime.  This does introduce parallel production environments, and that causes some period of time where there is a content freeze or duplicate entry in the old and new systems.  WayPath manages our projects to minimize that overlap, so it’s not overly burdensome on the clients.  

Does security become a concern if Sitecore isn’t actively being enhanced?  

Security is undoubtedly a concern.  Sitecore is one of the most secure content management systems in the world, but there are still disclosed vulnerabilities that are out there that need to be patched.  Not staying on top of upgrades and patching equates to an invitation to hackers. A lot of people will say “but it’s just the marketing site”, but in today’s world, the marketing site is integrated with line of business systems. Thus, a breach of the site can lead to lateral movement and cause severe compromises, and that’s not even accounting for the reputational hit an organization takes when the public facing website is defaced or the site visitors’ data is stolen.  

Why is there a reluctance to upgrade? 

Organizations may not prioritize upgrades due to a lack of staffing resources, lack of funds, competing priorities. A lack of inertia may exist, and stakeholders may not be able to foresee how to capitalize on new features.  There are all sorts of reasons why clients don’t upgrade, but the common denominator is that traditionally Sitecore upgrades have been hard.  They take time away from feature development and cost money that people haven’t budgeted for.  Things break between versions, and it can take a long time to figure out everything that’s gone wrong.  Upgrading has also typically involved standing up a parallel environment, so it takes time and potentially incurs more infrastructure costs while one is running both environments.  

Sitecore has been aware of the pain in upgrades for a long time, and they’ve made some real strides in recent versions to streamline the process.  The promise of Sitecore XM Cloud is that big bang upgrades are a thing of the past, and new, backwards compatible features are rolled out on a continuous basis. This allows clients to be more Agile and reduce the overall periodic investment in things like upgrades.  When clients are doing ROI calculations of moving to Sitecore XM Cloud, they should absolutely factor in the reality of no more upgrade projects because it’s traditionally been a large hidden cost that isn’t otherwise accounted for.  

What resources are required for an upgrade?  

An organization typically needs infrastructure and application resources to actually perform the nuts and bolts of the upgrade.  Sometimes, one needs front-end resources to tweak things that might have changed slightly from version to version.  The hidden resources needed are the clients who know the system well and what it’s supposed to do.  These clients need to be actively involved in regression testing the upgraded system to ensure that all the things that they do still work.  

How long does an upgrade take?  What factors contribute to that speed?  

It very much depends upon the complexity of the implementation as well as the number of versions being upgraded.  Going from Sitecore 8 to 10 is going to be a much more difficult endeavor than doing a 10.1 to 10.2 upgrade.  WayPath can use the number of items in the database and the number of lines of code as a rough estimate of the solution complexity when factoring in application resources and client UAT needs.  We’ve done upgrades in as little as a month but have also seen them stretch out to six months or more depending upon the factors noted above and the business urgency.  There are also some version upgrades where the underlying infrastructure drastically changes, so it’s not just the number of versions that an organization is upgrading, but which specific versions an organization is upgrading from and to.  Integrations can also play a role in the upgrade, especially if any open-source packages have been used from the Sitecore Marketplace that may not be supported on the new version of Sitecore.  It’s important to do a detailed discovery prior to an upgrade to ensure a strong sense of all the moving parts and pieces to estimate a realistic timeline and resource needs.  

Why should your organization take the next step and upgrade? 

In addition to the security and support benefits previously detailed, there are significant new technologies within the latest versions of Sitecore that could benefit a company.  These enhanced features include the following: 

  • AI-enabled personalization 
  • Support for next generation headless development. 
  • Reusable content testing and rules-based content profiling 
  • More advanced analytics and reporting. 
  • Support for containerized deployments 

The latest version of Sitecore will allow you to fully and efficiently leverage your CMS in order to meet your business goals. There is no time like the present, and the time to upgrade is now. 

About the Author: 

As the Chief Technology Officer and Chief Information Security Officer at WayPath, Jeff Hansen has brought his knowledge and passion to the company for nearly 20 years and has spent the last 15 years focusing on digital engagement and marketing technology solutions, including digital experience platforms, intelligent search, and analytics.  Jeff’s dual role in solution leadership and IT security gives him a different lens through which to view increasingly complex and customer data-centric solutions which are needed to compete in today’s changing landscape.  

Back to Whitepapers ->