Hi Jason
Thanks for your response.
I did find out the version to be installed with 3.0 in answer to my original question, but thanks for the confirmation.
The issue with your answer #2 is that approach will not stop Infosec audits highlighting the product as a vulnerability, even if you are not using parts of the MySQL engine. The audit at our client highlighted MySQL as a vulnerability based on the version. And as the version was over 2 years old then it becomes hard to argue.
My view is that CA should consider upgrading MySQL (and other 3rd party products) more frequently to reduce the chances of this happening. I would think updating MySQL whenever there there is a new upgrade to PM, or every 6 months, should be sufficient. And if as you say the parts of MySQL used by PM don't change much then I would hope that would not be a major job.
Hopefully the move into new market segments will cause this to happen.
Regards, John