This is correct. The patches for esxi is cumulative. Which means latest patches are built on top of the previously released patches. So applying latest patch binarees will automatically contain previous release content too.
the VMware support statement is correct. If you apply this security patch then the host will also be updated to U3. In general ESXi patches are cumulative so this is somehow expected, and there is no way to apply this security fix to an U2 system without also updating it to U3.
Of course, in theory, it would be possible for VMware to provide another version of this (or any other) security patch for a U2 system ... and in addition for a U1 system ... and the GA version which would just fix the security issue and not change the update level... However, given the number of available security patches and the update releases of ESXi this would create a plethora of different possible patch combinations for an ESXi host - something that is probably impossible to maintain, validate and cross check for compatibility even for a big software vendor like VMware.