Please accept my apologies for the delayed reply.
Unfortunately, this indeed seems like a vicious cycle from which it's hard to get away.
However, we got here due to this:
A workaround to this issue here would be to not try decrypting the uncrypted values (simply get the plain text values) during the upgrade process. If you do not try to decrypt the uncrypted values, the service should get its parameters and start as expected.As a result of this the password was set in plain text in registry and during upgrade it was trying to decrypt an uncrypted value and hence was failing.
Hope this helps somehow.
Best regards,
Catalin