Adobe Commerce Shifts to Monthly Patch Release Schedule

On January 6, 2026, Adobe announced a significant change to the Adobe Commerce patch release schedule. Effective immediately, Adobe shifts to monthly isolated security patch releases, supplemented by annual major May patches. This change fundamentally improves security update frequency whilst providing merchants greater predictability and control.

The Previous Model

Traditional Adobe Commerce followed quarterly patch releases (February, May, August, November) bundling security fixes, bug fixes, and feature enhancements. Merchants faced a choice: accept all bundled changes or delay security patches waiting for cleaner releases. This created security gaps and operational friction—merchants unable to accept bundled changes fell behind on critical security improvements.

The New Model

Under the new monthly release cycle, Adobe releases isolated security patches every month (outside May). These patches contain security fixes only—no feature changes, no breaking API modifications, minimal testing burden. This enables merchants to deploy security patches rapidly without operational risk. May remains the annual release window for major features and improvements.

Security Patch Frequency

Merchants now receive security patches monthly rather than quarterly. This dramatically reduces the window between vulnerability disclosure and patch availability. For critical vulnerabilities, this accelerated timeline significantly reduces exposure risk. Merchants can plan regular security update windows monthly rather than quarterly, building security reviews into routine operations.

Merchant Benefits

Monthly isolated patches mean easier deployment decisions—security patches include minimal risk, enabling rapid deployment. Merchants no longer need extensive testing for security-only releases. The May annual release provides a predictable window for feature releases and significant updates, allowing merchants to plan accordingly.

Operations Impact

For development teams, monthly patches are simpler to manage. Isolated security fixes mean minimal regression risk. Merchants can implement automated patching for monthly releases, with human review reserved for annual May releases. This operational simplification benefits teams of all sizes.

Adoption and Timeline

The new schedule is effective immediately. Merchants should plan for monthly security patch review cycles and quarterly testing of annual May releases. For Tom&Co's managed partnerships, this is straightforward—we'll coordinate monthly patch deployment with minimal customer involvement, with more substantial planning for annual releases.

Looking Forward

This schedule change reflects Adobe's commitment to security. By increasing patch frequency and isolating security updates, Adobe is reducing merchant security risk and operational burden. For merchants taking security seriously, this is excellent news. For Tom&Co and partners, this enables us to recommend greater confidence in platform security posture and provides clearer operational roadmaps.