Hi! Actually I don't know which distributors are "back-porting" fixes, but from my personal experience distributors don't trust the latest release either (and thus keep what they have) ;-)
I would note that even the Debian openldap maintainers say not to use their packages for production:
<http://www.openldap.org/faq/data/cache/1456.html> --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration