The thing that always worries me is this: 2.3.3 is a known quantity and has had several security updates. 2.5 has a lot of new code — what if it has vulns in it? (It almost certainly has, just as 2.3.0 did).

Isn’t No. 1 above the best option — wait a while for the first 2.5.x security update?

Not really. Security updates that would have been put into 2.3.3 (and called 2.3.4 or whatever) will most likely be put into 2.5 and the vulnerabilities left in 2.3.3. So your choice, risk that nothing major has been left out of 2.3.3 or go to 2.5 and know that it’s as secure as it can be on release date.

If anything is found post-release, 2.5.x will be released.

For people with slow connections, why not try the SVN upgrade method?