One side effect is leaking a little information (i.e. your OS) to a potential adversary, but the risk from this is vanishingly small.
Not necessarily. This guy downloaded all the public keys in the Post PGP Keys thread up to that point:
http://dkn255hz262ypmii.onion/index.php?topic=174.msg666607#msg666607
1356 keys total. So, I downloaded all the keys and filtered them by version.
Here are the results (I removed a few that were posted incorrectly):
grep -A1 BEGIN sr-2012-12-18-collection.asc | grep -v "^\-" | sort | uniq -c | sort -nr
606 Version: GnuPG v2.0.17 (MingW32)
106
83 Version: GnuPG v2.0.19 (MingW32)
67 Version: GnuPG v2.0.17 (GNU/Linux)
65 Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
61 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
60 Version: GnuPG v1.4.11 (GNU/Linux)
60 Version: GnuPG v1.4.10 (GNU/Linux)
41 Version: GnuPG v1.4.12 (MingW32)
33 Version: GnuPG v1.4.11 (MingW32)
30 Version: GnuPG v2.0.19 (GNU/Linux)
17 Version: GnuPG v2.0.14 (GNU/Linux)
15 Version: BCPG v1.47
14 Version: BCPG v1.39
8 Version: GnuPG v1.4.12 (GNU/Linux)
6 Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
5 Version: BCPG C# v1.6.1.0
4 Version: GnuPG v2.0.18 (GNU/Linux)
4 Version: GnuPG v1.4.2 (MingW32)
3 Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
3 Version: PGP Desktop 10.1.1 (Build 10)
3 Version: GnuPG v1.4.9 (MingW32)
3 Version: BCPG v1.47
2 Version: PGP Desktop 9.0.2 (Build 2424) - not licensed for commercial use: www.pgp.com
2 Version: GnuPG v2.0.16 (MingW32)
2 Version: GnuPG v2.0.14 (MingW32)
2 Version: GnuPG v1.4.9 (Darwin)
2 Version: GnuPG v1.4.2 (MingW32) - WinPT 1.4.2
2 Version: GnuPG v1.4.12 (MingW32)
2 Version: GnuPG v1.4.12 (Darwin)
2 Version: GnuPG v1.4.11 (MingW32) - WinPT 1.4.3
2 Version: GnuPG v1.4.11 (MingW32)
2 Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
1 Version: SKS 1.1.1
1 Version: PGP Universal 2.9.1 (Build 347)
1 Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.
1 Version: PGP Desktop 9.9.0 (Build 397) - not licensed for commercial use: www.pgp.com
1 Version: PGP Desktop 10.2.1 - not licensed for commercial use: www.pgp.com
1 Version: PGP Desktop 10.2.0 (Build 1950)
1 Version: PGP Desktop 10.2.0 (Build 1672)
1 Version: PGP Desktop 10.1.2 (Build 9)
1 Version: PGP Desktop 10.1.1 (Build 10) - not licensed for commercial use: www.pgp.com
1 Version: PGP Desktop 10.0.3 (Build 1)
1 Version: PGP Desktop 10.0.1 (Build 4020)
1 Version: iPGMail (1.33)
1 Version: iPGMail (1.29)
1 Version: Hush 3.0
1 Version: GnuPG v2.0.19 (Darwin)
1 Version: GnuPG v2.0.19
1 Version: GnuPG v2.0.17 (MingW32)
1 Version: GnuPG v2.0.13 (SunOS)
1 Version: GnuPG v2.0.13 (GNU/Linux)
1 Version: GnuPG v1.4.5 (GNU/Linux)
1 Version: GnuPG v1.4.3 (MingW32)
1 Version: GnuPG v1.4.2 (MingW32)
1 Version: GnuPG v1.4.12-SpecialBuild (MingW32) - WinPT 1.5.3
1 Version: GnuPG v1.4.12 (MingW32) - WinPT 1.5.3
1 Version: GnuPG v1.4.12 (MingW32) - WinPT 1.5.2
1 Version: GnuPG v1.4.12 (Darwin)
1 Version: GnuPG v1.4.12 (Cygwin)
1 Version: GnuPG v1.4.11 (OpenBSD)
1 Version: GnuPG v1.2.6 (GNU/Linux)
1 Version: FileAssurity OpenPGP 2.0.2
1 Version: BCPG v1.47
1 Version: BCPG v1.47
1 Version: BCPG v1.45
1 Version: BCPG C# v1.6.1.0
1 Version: 6.5.8ckt b9 http://www.mccune.cc/PGP.htm
1 Version: 6.5.8ckt b9 http://cyberkt.tripod.com/
1 Version: 10.1.2.50
1 GnuPG v2.0.17 (MingW32)
1 Comment: GnuPT-Portable 2.1.5.0
1 Comment: Download: http://portable.gnupt.de
Windows is the largest anonymity set with over 50% combined share, and luckily the empty version is second most popular, though fewer than 10% of people use it.
However, about 40 people had unique versions, and a bunch more had versions with less than 1% representation (14 keys) in that sample. That creates a potential correlation attack. If you're sending messages to an undercover LEO and later they raid your house, finding a unique version string in your PGP program is pretty good evidence that they have the right person.
And yeah, I know some of those unique versions are created by offsets, but if that's what your PGP program does, that's forensic evidence.
In light of this data, your best option is actually to fake the most popular version string, since even the no-version option puts you in a rather small anonymity set. But the point is that we are needlessly being divided into, in this case, about 80 smaller anonymity sets.