Specifically that the security releases included changes to the way that ActiveRecord works (which were unrelated to the security issues).
As a consequence, their search queries were scoped differently than what they had intended. So their choice was roll back the security release, or modify their app to accommodate ActiveRecord's altered behavior.
Actually, ironically, the _particular_ bug that changed how ActiveRecord works... which caused security problems... was actually an unintentional regression in a _security patch_.
There were ALSO unrelated changes (quite many) in the patch release that included the latest security fixes. Which is a mess.
So, yes, a security fix unintentionally introduced a regression with _other_ security implications. Yeah, this is kind of ironic, and yeah, it means it's not so simple to say what could have been done to avoid it. (In this case, I'm surprised there wasn't an automated test already that caught the particular regression. It seems like something that should have been tested. But I haven't looked at the test source to see if it was an odd edge case or what have you.)
(But it's STILL bad practice to release security patches only in releases bundled with a bunch of other changes).
As a consequence, their search queries were scoped differently than what they had intended. So their choice was roll back the security release, or modify their app to accommodate ActiveRecord's altered behavior.