We try to trim the binary packages listed in our USNs to just the packages that we think are related to the fixes in question, to avoid the emails being ridiculous long lists of dozens or hundreds of packages. (The -dev or -doc packages are almost never actually affected by security issues.)
We've chosen to list all the binary packages generated from a single source package as affected in our OVAL data feeds. While this can be misleading from the perspective of source packages that provide both clients and servers, it's the conservative choice and also reflects how package upgrades are expected to happen.
(In the specific case of MySQL, it's also a good idea: Oracle does not publish much information about their security issues. We shouldn't try to guess which binary package contains which specific CVE fixes from Oracle. It's best to upgrade them all when they're released rather than trying to understand which specific fixes are in which specific packages.)
The USN list of packages is trimmed a bit to keep them readable. The OVAL intentionally lists everything. Both approaches have problems, but we figured the OVAL should err on the side of safety and the USNs should err on the side of legibility.
Thanks
