Upgrading from 9.0 to 12.2 gives you 9.4 years worth of fixes (16 of them)

⇑ Security fixes:

Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function (Stephen Frost)
pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue.
After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed. (CVE-2018-1115)

⇑ Configuration changes:

⇑ Removed config parameters:

Config parameter:	Default value:
checkpoint_segments	3
custom_variable_classes
default_with_oids	off
krb_srvname	postgres
silent_mode	off
sql_inheritance	on
ssl_renegotiation_limit	524288
unix_socket_directory
wal_sender_delay	200

⇑ Added config parameters:

Config parameter:	Default value:
archive_cleanup_command
autovacuum_multixact_freeze_max_age	400000000
autovacuum_work_mem	-1
backend_flush_after	0
bgwriter_flush_after	64
checkpoint_flush_after	32
cluster_name
data_checksums	off
data_directory_mode	0700
data_sync_retry	off
default_table_access_method	heap
default_transaction_deferrable	off
dynamic_shared_memory_type	posix
enable_gathermerge	on
enable_indexonlyscan	on
enable_parallel_append	on
enable_parallel_hash	on
enable_partition_pruning	on
enable_partitionwise_aggregate	off
enable_partitionwise_join	off
event_source	PostgreSQL
exit_on_error	off
force_parallel_mode	off
gin_pending_list_limit	4096
hot_standby_feedback	off
huge_pages	try
idle_in_transaction_session_timeout	0
ignore_checksum_failure	off
jit	on
jit_above_cost	100000
jit_debugging_support	off
jit_dump_bitcode	off
jit_expressions	on
jit_inline_above_cost	500000
jit_optimize_above_cost	500000
jit_profiling_support	off
jit_provider	llvmjit
jit_tuple_deforming	on
lock_timeout	0
log_file_mode	0600
log_replication_commands	off
log_transaction_sample_rate	0
max_logical_replication_workers	4
max_parallel_maintenance_workers	2
max_parallel_workers	8
max_parallel_workers_per_gather	2
max_pred_locks_per_page	2
max_pred_locks_per_relation	-2
max_pred_locks_per_transaction	64
max_replication_slots	10
max_sync_workers_per_subscription	2
max_wal_size	1024
max_worker_processes	8
min_parallel_index_scan_size	64
min_parallel_table_scan_size	1024
min_wal_size	80
old_snapshot_threshold	-1
operator_precedence_warning	off
parallel_leader_participation	on
parallel_setup_cost	1000
parallel_tuple_cost	0.1
plan_cache_mode	auto
primary_conninfo
primary_slot_name
promote_trigger_file
quote_all_identifiers	off
recovery_end_command
recovery_min_apply_delay	0
recovery_target
recovery_target_action	pause
recovery_target_inclusive	on
recovery_target_lsn
recovery_target_name
recovery_target_time
recovery_target_timeline	latest
recovery_target_xid
restart_after_crash	on
restore_command
row_security	on
session_preload_libraries
shared_memory_type	mmap
ssl_ca_file
ssl_cert_file	server.crt
ssl_ciphers	none
ssl_crl_file
ssl_dh_params_file
ssl_ecdh_curve	none
ssl_key_file	server.key
ssl_library
ssl_max_protocol_version
ssl_min_protocol_version	TLSv1
ssl_passphrase_command
ssl_passphrase_command_supports_reload	off
ssl_prefer_server_ciphers	on
synchronous_standby_names
syslog_sequence_numbers	on
syslog_split_messages	on
tcp_user_timeout	0
temp_file_limit	-1
track_commit_timestamp	off
track_io_timing	off
transaction_deferrable	off
unix_socket_directories	/tmp
vacuum_cleanup_index_scale_factor	0.1
vacuum_multixact_freeze_min_age	5000000
vacuum_multixact_freeze_table_age	150000000
wal_compression	off
wal_consistency_checking
wal_init_zero	on
wal_log_hints	off
wal_receiver_status_interval	10
wal_receiver_timeout	60000
wal_recycle	on
wal_retrieve_retry_interval	5000
wal_sender_timeout	60000
wal_writer_flush_after	128

⇑ Config parameters with changed default value:

Config parameter:	Default value in Pg 9.0:	Default value in Pg 12.2:
autovacuum_vacuum_cost_delay	20	2
effective_cache_size	16384	524288
extra_float_digits	0	1
hot_standby	off	on
log_directory	pg_log	log
log_line_prefix		%m [%p]
maintenance_work_mem	16384	65536
max_wal_senders	0	10
password_encryption	on	md5
search_path	"$user",public	"$user", public
shared_buffers	4096	16384
standard_conforming_strings	off	on
unix_socket_permissions	511	0777
wal_buffers	8	512
wal_level	minimal	replica
wal_segment_size	2048	16777216
wal_sync_method	open_datasync	fdatasync
work_mem	1024	4096

List of changes:

⇑ Upgrade to 9.1 released on 2011-09-12 - docs
- Add XML functions xml_is_well_formed(), xml_is_well_formed_document(), xml_is_well_formed_content() (Mike Fowler)
  These check whether the input is properly-formed XML. They provide functionality that was previously available only in the deprecated contrib/xml2 module.
- Mark createlang and droplang as deprecated now that they just invoke extension commands (Tom Lane)
⇑ Upgrade to 9.1.3 released on 2012-02-27 - docs
- Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt)
  This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
⇑ Upgrade to 9.3.3 released on 2014-02-20 - docs
- Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
⇑ Upgrade to 9.4 released on 2014-12-18 - docs
- Remove native support for Kerberos authentication (--with-krb5, etc) (Magnus Hagander)
  The supported way to use Kerberos authentication is with GSSAPI. The native code has been deprecated since PostgreSQL 8.3.
⇑ Upgrade to 9.5 released on 2016-01-07 - docs
- Decommission server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund)
  While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL. The ssl_renegotiation_limit parameter still exists, but cannot be set to anything but zero (disabled). It's not documented anymore, either.
- Remove server configuration parameter autocommit, which was already deprecated and non-operational (Tom Lane)
- Add libpq functions to return SSL information in an implementation-independent way (Heikki Linnakangas)
  While PQgetssl() can still be used to call OpenSSL functions, it is now considered deprecated because future versions of libpq might support other SSL implementations. When possible, use the new functions PQsslAttribute(), PQsslAttributeNames(), and PQsslInUse() to obtain SSL information in an SSL-implementation-independent way.
⇑ Upgrade to 9.6 released on 2016-09-29 - docs
- Remove the long-deprecated CREATEUSER/NOCREATEUSER options from CREATE ROLE and allied commands (Tom Lane)
  CREATEUSER actually meant SUPERUSER, for ancient backwards-compatibility reasons. This has been a constant source of confusion for people who (reasonably) expect it to mean CREATEROLE. It has been deprecated for ten years now, so fix the problem by removing it.
- Add macros to make AllocSetContextCreate() calls simpler and safer (Tom Lane)
  Writing out the individual sizing parameters for a memory context is now deprecated in favor of using one of the new macros ALLOCSET_DEFAULT_SIZES, ALLOCSET_SMALL_SIZES, or ALLOCSET_START_SMALL_SIZES. Existing code continues to work, however.
- Add configuration parameter pg_trgm.similarity_threshold for contrib/pg_trgm's similarity threshold (Artur Zakirov)
  This threshold has always been configurable, but formerly it was controlled by special-purpose functions set_limit() and show_limit(). Those are now deprecated.
⇑ Upgrade to 10 released on 2017-10-05 - docs
- Remove createlang and droplang command-line applications (Peter Eisentraut)
  These had been deprecated since PostgreSQL 9.1. Instead, use CREATE EXTENSION and DROP EXTENSION directly.
- Remove support for version-0 function calling conventions (Andres Freund)
  Extensions providing C-coded functions must now conform to version 1 calling conventions. Version 0 has been deprecated since 2001.
⇑ Upgrade to 10.2 released on 2018-02-08 - docs
- Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)
  The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.
⇑ Upgrade to 10.4 released on 2018-05-10 - docs
- Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function (Stephen Frost)
  pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue.
  After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed. (CVE-2018-1115)
⇑ Upgrade to 11 released on 2018-10-18 - docs
- Remove deprecated adminpack functions pg_file_read(), pg_file_length(), and pg_logfile_rotate() (Stephen Frost)
  Equivalent functionality is now present in the core backend. Existing adminpack installs will continue to have access to these functions until they are updated via ALTER EXTENSION ... UPDATE.