If the version is not covered by the HMAC, you may be subject to rollback attacks. Compare the SSLv2 and v3 protocols to see what was done to address this.
I'm sorry, I don't get it. For session cookies, the client cannot do any validation of the cookie, so it's a completely different domain.
Also, unlike session cookies, SSLv2 never had a hard expiration date after which it could be unconditionally rejected.
However, I did just realize that for perfect security, there must be a service disruption on change of version. Otherwise you may be upgrading an attacker's forged v1 cookie to v2, if they submit a request before the v1 expiration.
Upgrading cookies is a bad idea. Revoking them and requiring reauthentication is better. See the talk I gave at Google on web crypto where I talk about exactly that situation.
Really, it's very easy to make a mistake.