(note this is as _I_ understand it and the accuracy of this post is not assured.)
The security advisories that come out generally fit into the format of:
What is the problem
Who does it effect
How do we deal with it
In the case of FreeBSD-SA-08:06.bind,
only the relevant software needs to have patches applied to the appropriate source code on your system (bind9 stuff), then recompiled and reinstalled. freebsd-update even allows us to skip that part and just use binary diffs and what not.
There is no need to update the entire system in order to correct the security issue, unless you want to or need to rebuild world, kernel, and ports while you are at it. Which is probably a waste of time and extra work for you, if you've got to keep that thing more stable then the US deficit getting bigger.
Code:
Affects: All supported FreeBSD versions.
Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
This basically means that as of YYYYY-MM-DD at HH:MM:SS Zulu time the stable branch has the patches committed in addition to what ever is already in the stable branch. And that the security branches for the releases in question have also been updated, e..g RELENG_7 => 7 stable code from 2008-07-13 18:42:38Z and later are not affected by the security issue.
Thus equaling 7 stable before the patch + the patch. While RELENG_7_0 => 7.0-Release + patches + this patch; which won't include anything from 7 stable that wasn't patched in, e.g. because of a security advisory.
It's basically, do you want the original release plus security patches or do you want the stable branch as of whenever the patch was committed. And unless you explicitly checkout that revision, when you go to update a 7 stable machine you get any commits made to that branch afterwards too, whether security or not.
Again, this is as I understand things, not to say that I'm right! lol.