Check for the Update history
file - it lists all files which have been changed/updated in certain release.
It is always
recommended to have latest release installed. If you have your own modifications made, you need to have list of changes to apply each time when you upgrade the default script. Plugins are separated from the core and that's their idea, that you should upgrade addons and the main core separately. Refer to the similar thread
where such topic is discussed.
New version of the Captcha addon doesn't contain CSRF security update (as it is not affected by this vulnerability) and the only change it includes is just the additional code for Polls addon.