I tried the bunkerview on a 10203 database which had patch 7 (6038241)applied which is also labeled as cpu APRIL 2007 and it failed. So looks likeit was already fixed before Cpu July 2007 came out. That makes me believe that Oracle releases security fixes in between cpu's.
When waiting for Oracle to fix some of the security issues I've informed them about, I've noted that, if a fix is available for a given platform, Oracle may to slip it in to a CPU without announcing it. Only when all platforms have a patch available do Oracle then note it in their risk matrix. This is probably what you're seeing.
HTH, David -- //www.freelists.org/webpage/oracle-l