Please read this all the way through.
In order to not affect the users at all, you need to re-use the existing keyset for it to not impact the users.
However, since the MD-5 vulnerability exposes a vulnerability in the existing keyset, you should use a new keyset in this case. This would require deploying the new root certificate so new certificates will be validated.
Since it is a renewal, the existing certificates would still be validated against a CRL that is signed by the old private key/ cert. The new cert and CRL will have (1) after it (assuming you've never renewed before, otherwise will increment).
The MD5 vulnerability is a relatively low-level concern. It is something that should be rectified sooner rather than later, but it is not an immediate threat.
Understanding the vulnerability is part of it - if you do not use sequential serial numbers (MS does not by default) then you should be fine. The vulnerability had to do with submitting cert requests and analyzing them so you could predict certain values in the hash. For CAs that did things sequentially, they could be predicted reliably, and the attacker could submit a request for a certain value (e.g. your subordinate CA, then they could issue all the certs they wanted under your root - only theirs would have their own CDP, etc. that they could publish to).
There is a lot that would have to go into this, hence it is not typically an immediate concern for most folks, however it is a real threat that if it were successfully implemented against your CA could have very serious consequences. In other words - do it, but don't let it keep you awake at night or make it so you rush the implementation instead of making sure you do it properly.
