We launched the ESR to provide pain relief for network administrators, but it came long after the background update service was built, and it's not currently designed to handle multiple parallel branches. Supporting the ESR via background update is on our product backlog, but it's not likely to get done for a while. Just getting the ESR was the first battle, and we're making incremental improvements as time allows.
The really big organizations that we were targeting with the ESR typically run their own in-house auto-update servers or they push all updates through their own management tools (AD/SCUP/SMS/etc). Those organizations typically have onerous testing requirements for distributing feature-bearing updates, so the ESR was really designed to minimize the testing burden on those IT departments -- streamlining the distribution is something we want to do, but it was more important to just make it available as an option for distribution.
You can find details on running your own auto-update server in the administration guide, but it's non-trivial and we're still working out the kinks (notifications slip through in some edge-cases, etc). There's also a good rundown on the customization options for various updates. You may be better off using your standard software management tools to distribute updates in the short-term, depending on your environment's complexity and available resources:
Thanks for the helpful information, Jeromie.
Just one more thing: Do you still announce esr updates here Flash Runtime Announcements ?
If not, how can we learn about a new esr version release?
edit: maybe for your next admin guide you want to add a notice at the update section that esr is not supported yet
That's a really good point about the docs.
Guidance on the ESR is included in the release notes and the security bulletins for each release, but the long and short of it is that you want to always use the latest available version of the ESR branch. Normal releases happen monthly, on Patch Tuesday. Out-of-cycle releases happen as needed (i.e. we've seen an exploit in the wild) and we'll publish security bulletins and guidance about those.
If and when we change the ESR branch (in recent history this has been driven by the needs of the infrastructure), we try to provide as much lead time as possible and will announce in the forums and will typically post a blog post. The distinction being that we control the content in the forums directly, but everything else has to go through intermediaries.
I'd recommend that you sign up for the Adobe Security Notification service. Whenever patches with security impact for Adobe products become available, you'll get an email.