The security advisory from Microsoft stated that the vulnerability is in all 3 versions. The advisory acknowledged Google, Adobe and McAfee for providing the details of the vulnerability -- this was a joint disclosure published all on the same date.
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
The reason Microsoft can advise people to upgrade from IE6 even when IE7 and IE8 also have the vulnerability is that newer versions of Internet Explorer and of Windows allow you to do less with a bug like this. Yes you can still abuse the pointer to get code to run, but with DEP and Protected Mode, that code has limited access to the system to do anything malicious. With IE6 on XP, if the user account that ran Internet Explorer is an administrator, the bug is much more serious.