Also, it brings up the question: why merely use $2a$ running the new
code rather than fully emulate the bug even for newly set passwords,
which would make all passwords work, even on other networked machines?
Sure, that would be even nastier for security, so maybe you managed to
strike a balance well. But nevertheless the question is there. One of
your options results in full backwards compatibility at a security cost
(for the local system), but the other somehow chooses to strike a
balance between compatibility and security without achieving either of
these fully (for a network of systems).
Maybe you can afford to drop BLOWFISH_2y to avoid those inconsistencies?
I imagine that people won't know to enable this option unless/until they
have already run into an issue anyway (that is, someone is already
unable to log in). At this point, they could likely upgrade the rest of
their networked systems as well... or downgrade this one. ;-(