The 'fix' was not a security fix for the vulnerabilities. Those CVEs are identifiers for separate vulnerabilities that were fixed by the security update. I'm not convinced that the security update was back ported to the kernel in Sierra / El Capitan since changes that are feature changes (which the fix for Meltdown would've been considered via the double buffer kernel change) are not included in security changes unless they are explicitly stated to fix a security issue. I would bet that the mitigations in 10.13.2 are not present in Sierra / El Capitan presently.
Interesting, thanks! Still would be nice to get official confirmation from Apple on Sierra/El Cap.