distro vendors themselves don't release patches. they would take either take a patch, apply it to the vulnerable release and release it as an entire package, or take the patched software from the software developers themselves and release it. which angle is typically dependent on the position of the original developers, their willingness or ability to respond to the issue.
As far as Redhat and CentOS go, redhat do their patching and updates releases in under a week, often much sooner, this same update will cascade down into CentOS. CentOS do apply a few minor tweaks outside of the redhat releases, but only very rarely if they really think there's a unaddressed issue. Generally they would prefer to pass on redhat's updates as it contiues to ensure compatability with redhat.
If your boss wants to pay for support then get Redhat every time, but if he wants redhat based on some dumb preconception that even within support he's somehow still better off with it, he's a muppet, and CentOS is a much more sensible option as you will still get the same updates you'd normally be paying for, but with a slight delay.
|