So, you've created a Drupal site, customized a few bits here or there of Drupal core to satisy your client, and everyone's happy.

Then, a new security update is released. Suddenly those changes look in danger of being overwritten with the upgrade. What to do?

If your changes are just tweaks rather than a major rewrite, the following two-stage upgrade process has always worked well for me. You will need the original Drupal files of your currently installed version ('base'), and a copy of the new version files in another directory ('new'). You also need access to a copy of your production server Drupal files ('live').

To apply security patches non-destructively:

Stage 1

1. Back up 'live'!!
2. View CHANGELOG.txt in the root of 'live' -- note the most recent version number listed
3. Ensure that 'base' and 'new' sources are expanded and accessible in separate folders
4. Run the following command:
   

       diff -ruN C:\dev\base C:\dev\new > drupal-base-to-new-changes.diff
   

Stage 2

1. Change dir to 'live' (eg. C:\dev\live). Do a 'dry run' with this patch:

       patch -p1 -u --dry-run < drupal-base-to-new-changes.diff > results.txt
   

2. View results.txt with a particular eye for any errors. Where conflicts occur, manually review the patch segment and edit the source or patch (as appropriate) to resolve the conflict. Alternatively, if the patch segment in question should not be applied, you can leave things without modification.
3. Repeat the dry run in step 6 until you are happy with the results. Apply for real with:
   

       patch -p1 -u < drupal-base-to-new-changes.diff > results.txt
   

4. Review and delete any .rej files created as part of the patch process.