This post is the result of a question I received off-line about how kernel updates, specifically, security updates, are handled.
New kernel releases from Canonical are categorized as either a security release, an update, or as proposed. Normally, new kernels are first categorized as proposed and are promoted to the update category once a new proposed kernel is ready. If a security release is required, it replaces both proposed and update kernels since Canonical does not backport security patches to previously released kernels.
We use a modified kernel release process for Centrych when it comes to security release kernels to minimize the chance of problems. Only security releases that are tagged as urgent, which can be viewed in the changelog, are placed directly in the release repository. Otherwise, it is first placed in the updates repository for a week or two to make sure that no issues are reported on the Ubuntu forums that track kernel releases.
If you're interested, this link contains all of the currently supported kernel versions and associated categories.