Event details
Both updates are independent and there is no required order.
The KEK update (needs to be signed by the OEM because they own the PK) is required before June 2026. Microsoft will stop shipping security updates signed with 'Microsoft Corporation KEK CA 2011' after June because that is when the certificate expires. So DB/DBX updates shipped afterwards will only be signed by 'Microsoft Corporation KEK 2K CA 2023'.
The DB update (signed by 'Microsoft Corporation KEK CA 2011' and probably also by 'Microsoft Corporation KEK 2K CA 2023') is required to be able to boot Windows on a boot manager signed by 'Windows UEFI CA 2023', and optionally some other specific components. There is technically no set date for updating the boot manager, but it helps fully mitigate BlackLotus and other past vulnerabilities. In addition, if the boot manager needs to be patched in the future, it will only be released as a 2023-signed version. Thus the DB update will be required to support the new secure version.
The DB update is intentionally signed only by the old KEK, since machines that have the new KEK only will already have the new DB as well. And it prevents attackers from installing the 2023 third-party certificate on machines that only have the 2023 KEK and 2023 Windows certificate (no 2011 KEK) by a signed variable update.
Still, despite being said that Microsoft does not automatically apply 2023 third-party certificates to systems that do not have 2011 third-party certificates "for security reasons", nobody stops an attacker who has local administrative access from doing so (by applying the published DB updates signed by the 2011 KEK).
So those security reasons are pretty moot as long as the machine has the 2011 KEK.