Release Notes for v26.2-v26.2.0-beta.3 (#23170)

* Update release notes for v26.2-v26.2.0-beta.3

Author: release-notes-automation[bot]

src/current/_data/releases.yml

@@ -11116,3 +11116,31 @@
       CockroachDB Cloud clusters. To request to upgrade
       a CockroachDB self-hosted cluster to this version,
       [contact support](https://support.cockroachlabs.com/hc/requests/new).
+
+
+- release_name: v26.2.0-beta.3
+  major_version: v26.2
+  release_date: '2026-04-08'
+  release_type: Testing
+  go_version: go1.25.5
+  sha: 1c35a1e86e9b82b99c0bf57c44877dc5a80c5c2d
+  has_sql_only: true
+  has_sha256sum: true
+  mac:
+    mac_arm: true
+    mac_arm_experimental: true
+    mac_arm_limited_access: false
+  windows: true
+  linux:
+    linux_arm: true
+    linux_arm_experimental: false
+    linux_arm_limited_access: false
+    linux_intel_fips: true
+    linux_arm_fips: false
+  docker:
+    docker_image: cockroachdb/cockroach-unstable
+    docker_arm: true
+    docker_arm_experimental: false
+    docker_arm_limited_access: false
+  source: true
+  previous_release: v26.2.0-beta.2

src/current/_includes/releases/v26.2/v26.2.0-beta.3.md

@@ -0,0 +1,63 @@
+## v26.2.0-beta.3
+
+Release Date: April 8, 2026
+
+{% include releases/new-release-downloads-docker-image.md release=include.release %}
+
+<h3 id="v26-2-0-beta-3-backward-incompatible-changes">Backward-incompatible changes</h3>
+
+- User-defined views that reference `crdb_internal` virtual tables now enforce unsafe access checks. To restore the previous behavior, set the session variable `allow_unsafe_internals` or the cluster setting `sql.override.allow_unsafe_internals.enabled` to `true`. [#167023][#167023]
+- `REFRESH MATERIALIZED VIEW` now evaluates row-level security (RLS) policies using the view owner's identity instead of the invoker's, matching PostgreSQL's definer semantics. [#167419][#167419]
+
+<h3 id="v26-2-0-beta-3-security-updates">Security updates</h3>
+
+- Removed an overly restrictive TLS curve preference that limited FIPS mode to P-256. CockroachDB now uses Go's native FIPS curve selection, improving interoperability with clients that prefer other FIPS curves. [#166793][#166793]
+
+<h3 id="v26-2-0-beta-3-sql-language-changes">SQL language changes</h3>
+
+- Added a new cluster setting, `sql.schema.auto_unlock.enabled`, that controls whether DDL operations automatically unlock `schema_locked` tables. When set to `false`, DDL on schema-locked tables is blocked unless the user manually unlocks the table first. This allows customers using LDR to enforce `schema_locked` as a hard lock that prevents user-initiated DDL. The default is `true`, preserving existing behavior. [#166471][#166471]
+- Added a new cluster setting `sql.prepared_transactions.unsafe.enabled` (default: `false`) that controls whether `PREPARE TRANSACTION` statements are accepted. This setting is marked unsafe and requires the unsafe setting interlock to change. When disabled, attempting to prepare a transaction returns an error. `COMMIT PREPARED` and `ROLLBACK PREPARED` remain available regardless of this setting to allow cleanup of existing prepared transactions. [#166855][#166855]
+- Aggregation function `ST_AsMVT` can now also be used as a window function. [#166860][#166860]
+- `CREATE CHANGEFEED FOR DATABASE` now returns an error stating that the feature is not implemented. [#166920][#166920]
+- The `information_schema.crdb_delete_statement_hints` built-in function now accepts an optional second `database` argument to delete only hints scoped to a specific database. [#167192][#167192]
+- The `information_schema.crdb_enable_statement_hints` built-in function now accepts an optional third `database` argument to enable or disable only hints scoped to a specific database. [#167192][#167192]
+- Setting `skip_unique_checks = true` on an index now emits a notice warning that unique constraint enforcement is bypassed, with a pointer to the `INSPECT` documentation. [#167405][#167405]
+
+<h3 id="v26-2-0-beta-3-operational-changes">Operational changes</h3>
+
+- Added two new metrics, `auth.cert.san.conn.total` and `auth.cert.san.conn.success`, to track SAN-based certificate authentication attempts and successes. [#166829][#166829]
+- Added a new cluster setting `changefeed.kafka.max_request_size` and a per-changefeed `Flush.MaxBytes` option in the Kafka sink config to control the maximum size of record batches sent to Kafka by the v2 sink. Lowering this from the default of 256 MiB can prevent spurious message-too-large errors when multiple batches are coalesced into a single broker request. [#166740][#166740]
+
+<h3 id="v26-2-0-beta-3-bug-fixes">Bug fixes</h3>
+
+- Fixed a data race that could cause certificate expiration metrics (`security.certificate.expiration.node-client`, `security.certificate.expiration.client-tenant`, `security.certificate.expiration.ca-client-tenant` and their TTL counterparts) to not update after certificate rotation via `SIGHUP`. [#166664][#166664]
+- Fixed a bug where `ALTER FUNCTION ... RENAME TO` and `ALTER PROCEDURE ... RENAME TO` could create duplicate functions in non-public schemas. [#166681][#166681]
+- The PCR job now switches into the cutover phase more promptly after a failover is requested, terminating the replication phase more quickly and more reliably when components of the ingestion process are hung due to network errors. [#166778][#166778]
+- Fixed a bug where descriptor version fetching could be incorrectly throttled by the elastic CPU limiter, potentially leading to increased query latency or timeouts under high CPU load. [#166810][#166810]
+- Context cancellation is now surfaced if a `statement_timeout` occurs while waiting for a schema change. [#167112][#167112]
+- Fixed a bug where transient I/O errors (such as cloud storage network timeouts) during split or merge trigger evaluation were misidentified as replica corruption, causing the node to crash. These errors now correctly fail the operation, which is retried automatically. [#167377][#167377]
+- Fixed a bug where executing a mutation in a subquery (e.g., as a CTE) could cause the "rows written" metrics like `sql.statements.index_rows_written.count` and `sql.statements.index_bytes_written.count` to not be incremented correctly. [#167432][#167432]
+- Fixed a bug where converting a table from `REGIONAL BY ROW` to `GLOBAL` would not clear the `skip_unique_checks` storage parameter on the primary key, even though implicit partitioning was removed. [#167484][#167484]
+- Fixed a bug where the `lock_timeout` and `deadlock_timeout` session settings were not honored by FK existence checks performed during insert fast path execution. This could cause inserts to block indefinitely on conflicting locks instead of returning a timeout error. [#167532][#167532]
+
+
+[#166471]: https://github.com/cockroachdb/cockroach/pull/166471
+[#167377]: https://github.com/cockroachdb/cockroach/pull/167377
+[#167484]: https://github.com/cockroachdb/cockroach/pull/167484
+[#166681]: https://github.com/cockroachdb/cockroach/pull/166681
+[#167112]: https://github.com/cockroachdb/cockroach/pull/167112
+[#166855]: https://github.com/cockroachdb/cockroach/pull/166855
+[#167192]: https://github.com/cockroachdb/cockroach/pull/167192
+[#167405]: https://github.com/cockroachdb/cockroach/pull/167405
+[#166664]: https://github.com/cockroachdb/cockroach/pull/166664
+[#166810]: https://github.com/cockroachdb/cockroach/pull/166810
+[#167432]: https://github.com/cockroachdb/cockroach/pull/167432
+[#167023]: https://github.com/cockroachdb/cockroach/pull/167023
+[#166860]: https://github.com/cockroachdb/cockroach/pull/166860
+[#166829]: https://github.com/cockroachdb/cockroach/pull/166829
+[#166740]: https://github.com/cockroachdb/cockroach/pull/166740
+[#167532]: https://github.com/cockroachdb/cockroach/pull/167532
+[#166793]: https://github.com/cockroachdb/cockroach/pull/166793
+[#166920]: https://github.com/cockroachdb/cockroach/pull/166920
+[#166778]: https://github.com/cockroachdb/cockroach/pull/166778
+[#167419]: https://github.com/cockroachdb/cockroach/pull/167419