I have mentioned this concerning force logon with SSO. And this one missing fix is enough for us to stay on 2.1 SP3 (because we need it). So I'm not sure which other fixes are missing.
I think there is no overview (or I don't know it) which fixes are included and which are not included. That means checking every note in my opinion.
This kind of things happen when SAP decides to split the code (which means from that point they have two separate code branches).
There will be no more 2.1 version after SP3 (according to SAP) which means that 2.2 should get all fixes as fast as possible. Maybe at the end of the year with 2.2 SP1.