The install documentation terminology is poor.
The download file works as both an upgrade to existing version (some not direct) or as a clean install. So, if you were on 12.1 RU4/5/6, you can upgrade to RU6 MP3, without a clean install.
For this vulnerability, yes, both the manager and your clients need updated for complete remediation (separate vulnerabilities).