Yes, you absolutely want a truncated version of SHA2 if you're going to be upgrading.

Probably not. There's SHA-3 (though reputedly slow), and my favourite, Blake2b.

I've implemented both SHA-256 and SHA-512, and seen the more modern Blake2 in detail: Blake2 is not more complex, it's fast, and for now it's solid. I expect it to stay secure for a long time, given its Chacha heritage.

I meant that you definitely want the truncation, not whether you pick SHA2 or not. There are other choices for sure that are also immune to length-extension.

I love Blake2b's keyed mode (or the other modern hashes for that matter): now the easy way to do a hash based MAC is also the right way.