In other words, the kernel version 2.6.9-89.0.7 should be read as: distribution vendor's patchlevel 89.0.7 of Linux kernel source version 2.6.9.
When a kernel source version is chosen for a particular release of an "enterprise-grade" Linux distribution, that kernel version is usually fixed for the lifetime of the distribution. For example, RedHat chose 2.6.9 as the kernel version for RHEL4. Instead of always using Linus's newest kernel source, RedHat backports any necessary bug-fixes to their customized version of the 2.6.9 kernel.
If you want to know whether a particular security vulnerability is fixed or not, the kernel version 2.6.9 is not nearly enough information. You must check the security notes of your Linux distribution to see if the patch for the vulnerability you're interested in is backported from 2.6.30.4+ to your vendor's 2.6.9 patchelvel 89.0.7 or not.
Because you did not tell us the name of your Linux distribution or any information about the vulnerability you're interested in, I cannot find the exact information for you.
But looking at the Linux kernel changelogs of 2.6.30.4 at
www.kernel.org, I see it lists fixes for two security vulnerabilities: CVE-2009-2406 and CVE-2009-2407. Both of these apply for eCryptfs, a particular type of encrypting filesystem. If you don't use eCryptfs and don't have its kernel module(s) loaded, these vulnerabilities don't apply to you.
eCryptfs is a pretty new project, so I believe it did not even exist back when RHEL4 was launched. So unless RedHat thought this particular type of encrypted filesystem as essential for enterprise-level users, it probably is not included in RHEL4.
MK
MK
