First, I don't know for sure, but I expect that the slackware-security mailing list only mentions updates that are 'security-related' (for all I know, it might even require a CVE id). I rely on it to tell me that there is a security issue that has been patched.
But when something is patched, it doesn't mean that it is patched for a security bug. As slackpkg doesn't have an "upgrade-security" option, "upgrade-all" will pick up all that's been patched. Checking ChangeLog.txt is always appropriate, but I don't see an issue with waiting for the mailing list, to tell me I "should" update.
In the example you give, the ChangeLog.txt says
Code:
patches/packages/pkg-config-0.29.2-x86_64-1_slack14.2.txz: Upgraded.
This is a bugfix release, and is needed for some updates on slackbuilds.org
to compile properly. Thanks to Willy Sudiarto Raharjo.
I don't see a security reason, there.