Why Upgrade? | Absolute OpenBSD: Unix for the Practical Paranoid

The simplest answer to this good question is: because you don't have a choice. Security researchers, programmers, and skilled intruders continuously discover new ways to break into computers. While OpenBSD has gone for over seven years with "only one remote root hole in the default install," that doesn't mean that a two-year-old version of OpenBSD is secure. The OpenBSD Project only provides security updates for the two most recently released versions of its software. For example, when OpenBSD 3.5 comes out, OpenBSD 3.3 will be "end-of-lifed" and gradually lose support from the developer community. If a way to break into an OpenBSD 3.3 machine is discovered after version 3.5 comes out, the Project is not obliged to provide patches to fix the hole. You may be able to adjust new security patches to work on the older versions of the code, but backporting these patches will become increasingly difficult.

The good news is that various OpenBSD releases are usually binary-compatible. The MySQL install that you have running on your OpenBSD 2.9 machine will probably run just as well as ever on OpenBSD 3.3. You will probably want to upgrade that software as well, but the software wouldn't refuse to run just because you upgraded the operating system underneath it. This isn't guaranteed, but is common. You may need to reconfigure your software in some way or provide some other special support for it, however.

Applying security patches can also be considered an upgrade. Just because there isn't an exploitable problem in a default OpenBSD install doesn't mean that an exploitable problem doesn't exist in a feature that you turn on. For example, while OpenBSD 2.8 was out and current, a security hole was discovered in the telnet daemon. OpenBSD does not ship with telnetd enabled, so this wasn't a hole in the default install — but it is certainly a security problem in a function you might have chosen to enable! You must understand how to apply security patches, either by applying the patch in and of itself or by upgrading the entire system.