Getting ready to upgrade 11.4.3 multiple appliances with embedded Sybase DB, CA with external certs signed from eDir on first primary. Read the upgrade procedures, prereqs, cookbook ect.
Don't remember if anything specified about the order of whether to apply 2017 update 2a after the first migrated primary/DB/CA appliance and then migrate the remaining appliances to 2017. Or should I migrate all primary servers to 2017 base version then apply update 2a to all of them afterwards (with having only the DB primary up and running first then send U2a to the rest of the primaries when the first appliance is done)? I'm thinking there might be a conflict if the 2nd primary migrates up as just 2017 base and tries to talk to the DB on the first primary if it's already been brought up to 2017.U2a itself.

Also saw a post that mentioned being able to leave clients on old version like 11.4.3 if needed for time being. Thinking of maybe just upgrading our Win 10 clients to 2017 and leaving Win 7 alone since they're all in the process of being replaced with Win 10 anyway. When we went to 11.4.3 we built that up as a new zone and just did a bundle to un-reg and re-reg all PCs over to it from the old 11.1 zone. So all system updates like 11.4.3 have gone to all devices automatically in the past. If I wanted to only upgrade Win10 to 2017.U2a is it as simple as just making a deployment stage and setting the members to the Windows 10 dynamic workstation group rather than all devices? I'll still upgrade Satellite servers and any ZEN-managed Win 2012 servers it's just the workstations I'm thinking about separating out.
Thanks.