Of course you can use a secondary address with static addressing. I've yet to see a production OS that didn't support it (I know some embedded OSs do as well, but I'm not sure that your interface to them would).
And you don't need the secondary address on the clients, you need it on the default gateway while you do the transition to the new addressing scheme. You change the clients one at a time, and there you can do an actual replacement of the IP address. You need the gateway to be on both networks simultaneously so that it can route traffic between the two networks (even though they are on the same wire). That way, if your gateway is on both the 10. and 192.168 and you change client A to 192.168, it will not see the 10. hosts on its local network, so it will locate its default gateway and send the packet there. The default gateway will see the 192.168 packet because it has an address on that network. It will see that the route to 10. is the same interface, with a 10. address, so it will send the packet on to the 10. host. When the response is generated by the 10. host, it will recognized that it cannot send to the 192.168 network, so it will send to the gateway at its 10. address. The gateway will look up the 192.168 network, recognize that it is on the same interface and resend the packet to the 192.168 network.
Like I said, you take a traffic hit, but it works seemlessly and doesn't require a "hot cut" to the new addressing scheme.
And you can do static addressing with DHCP. It is hard one time, while you track down all of the MAC addresses and enter them into your DHCP scheme, but it works like a champ. The only machine with a static address on my small network is the firewall. Everyone else gets a DHCP address. Servers and clients. The servers get static addresses and the clients get random (not really, since they get the same lease over and over again) but you can pick and choose who gets what. By using arpwatch you can identify any rogue hosts on your network, unless they are cunning enough to use SMAC or macchanger, which means that they are really determined to get onto your network. Port security is about your only option at that point.
pansophic