Good day SL people,

In 2009 I was surprised to learn from this useful+informative SL-User's 
list, that CentOS does not always release security updates in a timely 
manner: 

http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4484
"It has come to light that the maintainers don't/can't release interim  
security updates while they are rebuilding a new dot release from 
upstream" 

http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=SCIENTIFIC-LINUX-USERS&P=R7106&I=-3
"For example, once Redhat releases a point release, an attacker knows that
any subsequent errata can be used against a CentOS box at least until the 
CentOS project releases the corresponding point release. It is quite 
literally a sitting duck."

http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4999
"(About CentOS & why user is switching from CentOS to SL:) So there is a
potential delay of weeks and months before security updates are passed on 
whilst a distribution is being rebuilt, as they currently don't start 
rebuilding the dependencies of an errata updated package, unless it is
part of the release. I am quite happy to wait a few days for a security 
updates, but I do take issue to an unknown exposure where security updates
are delayed for an unspecified length of time."

Question: that was in 2009. Does anyone know, is the above still true of 
CentOS? (Apols - I don't wish to join CentOS list just to find that out & 
am unable to find out via some searching)
(We are debating building some new servers as SL vs CentOS, & timely
security updates are relevant to us)

Many thanks for pointers/enlightenment.