patching, changelog and CVE numbers

Via inspection of the changelog, it appears that one local system cannot account for any CVEs for OpenSSL 0.9.8e for the last 2 years (since 2012.

If the latest OpenSSL patch (via RHN) were applied, would that patch (cumulatively) carry forward all previous CVEs, or would all previous OpenSSL patches need to be applied as well in order to cover all the CVE bases?

Thanks.