Why need this Task?

I would like some clarification regarding some debuginfo packages that are present in the VEX files but not shown in the errata page.

Description:

While comparing VEX files with the corresponding Red Hat Errata (where applicable), I’ve noticed some discrepancies involving -debuginfo packages. So far, this appears to occur only in RHEL 5 packages, and I would like to confirm whether this behavior is expected or if it indicates a potential inconsistency.

Specifically, I observed that certain VEX documents list -debuginfo packages as fixed, even though these packages are not mentioned in the related errata. Other package variants (e.g., base, -devel, -docs) are present in both sources.

Example: CVE-2009-1955
Fixed packages in the VEX file (subset):
     "5Server:apr-util-0:1.2.7-7.el5_3.1.x86_64"
  "5Server:apr-util-debuginfo-0:1.2.7-7.el5_3.1.x86_64"
  "5Server:apr-util-devel-0:1.2.7-7.el5_3.1.x86_64"
  "5Server:apr-util-docs-0:1.2.7-7.el5_3.1.x86_64"
Errata (RHSA-2009:1107):
Lists the same packages except for apr-util-debuginfo

Is this expected behavior?
Should the -debuginfo package be considered fixed as per the VEX file, or should the errata be considered authoritative in cases like this?

If expected, is this something particular with -debuginfo packages in RHEL5 or the same could be happening for other packages and products?

For reference, I’ve noticed that in more recent releases (e.g., RHEL 8 and 9), the -debuginfo packages are listed in both the VEX files and the corresponding errata. However, I haven’t performed a comprehensive check across all CVEs and errata.

Another example for reference:

CVE-2005-3350
VEX: 5Server:giflib-debuginfo-0:4.1.3-7.1.el5_3.1.i386
Errata (RHSA-2009:0444):
Lists only giflib, giflib-devel, and giflib-utils

Any clarification on this discrepancy would be appreciated.
Thanks!