Specifically the change in the default to escape strings and having to specify when you want to pass it through unsafely (html_safe / raw). Broke a lot of v2 apps, but ultimately I think it was definitely the right call. Same thing again when strong_params become the default. So mostly due to security improvements.

v2 -> v3 also was the merb merging and a pretty significant rewrite, so it's pretty impressive that we didn't have even more trouble IMO.