after programming the extended fuse is not 0x05 but 0xDF, why is this ?
Only the low three bits of efuse are implemented, and there is some ambiguity whether an unimplemented bit should show up as "0" like a programmer would expect, or as "1" as it would if it were an "unprogrammed fuse" (remembering that "1" is the unprogrammed state for fuses, and a "0" enables whatever fuse function is controlled by that bit.)
I'm assuming that doing the main hex file first or doing the fuses first makes no odds ?
Probably not, as long as you're programming the fuses correctly. Note that you should only have to program the fuses once.
what about the lock bits ? these are rarely mentioned in tutorials but some do.
they're in boards.txt as well, as "unlock_bits" and "lock_bits."
The overall procedure done by the IDE for something like "burn bootloader" is:
set the lock bits to the "unlock_bits" value.
program the fuses and the .hex file, all in one avrdude commmand.
set the lock bits to the "lock_bits" value.