You can see evidence of this for yourself.
Just take a look at the below logs, these will tell you what files your clients are downloading to perform updates. If you see full.zip, then they are downloading the big file (for whichever corresponding def type, be that AV, SONAR, IPS or whatever). If you see xdelta*********_To_*********.dax, then they are downloading the incremental update files.
Go to Monitors -> Logs
Log Type: System
Log Content: Client Activity
Open Advanced Settings
In the Event Source field, put in a filter of: SYLINK
Click Vew Logs