So I am completely confused on the whole oracle/mysql thing at this point. Mysql GA comes out with releases which contain bug/security fixes which will increment the version (5.5.19 becomes 5.5.20). That's the way it's always been and is simple enough. Now however oracle is releasing "patches" to mysql.

From what I understand is that these patches are for the enterprise commercial advanced (ECA) edition and not for GA as GA has it's own open sourced fixes. If this is the case then how does it work out for CVEs because NVD (yeah I know they're wrong all the time) is simply saying that mysql 5.5.20 is vulnerable. GA 5.5.20 was released a week prior to the oracle CPU so I'm assuming that these vulnerabilities were not fixed in the newest GA. So like I said, I am really confused about all of this and have some questions.

Is GA vulnerable to what was patched in ECA?
Will GA implement these fixes?
How can I tell if ECA has been patched? Are the patches installed as patches or are they new versions? (the ECA trial only seems to be at 5.5.19)
Should I now consider ECA and GA completely separate forks/products in regards to security?

As someone who works in vulnerability management I'm really not sure what I should be telling clients in regards to their mysql security now and could really use some clarification.