The deal is that 6.2 contains a version of OpenSSL that does have the vulnerability, but it is not believed to be exploitable. That is, it will recognize the ChangeCipherSpec message (which is what the vulnerability scanner is detecting) but the attacker won't be able to calculate the correct Finished hash. Some discussion of the situation here: https://www.imperialviolet.org/2014/06/05/earlyccs.html
This is why our security advisory indicates 6.2 "may" be vulnerable. It's not exploitable as far as we know, but we still intend to issue patches during the next scheduled maintenance release just to be safe.
That said, upgrading to 6.3 is probably still a better plan.