Greetings,
the VMware support statement is correct. If you apply this security patch then the host will also be updated to U3. In general ESXi patches are cumulative so this is somehow expected, and there is no way to apply this security fix to an U2 system without also updating it to U3.
Of course, in theory, it would be possible for VMware to provide another version of this (or any other) security patch for a U2 system ... and in addition for a U1 system ... and the GA version which would just fix the security issue and not change the update level... However, given the number of available security patches and the update releases of ESXi this would create a plethora of different possible patch combinations for an ESXi host - something that is probably impossible to maintain, validate and cross check for compatibility even for a big software vendor like VMware.
Andreas
Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
