By and large, yes. Red Hat picks a version to baseline for each major RHEL release (4,5,6 ...). So, RHEL6 runs kernel 2.6.32, whether it's 6.0 from 3 years ago or 6.5 that just came out. What they then do is selectively back-port changes from the latest version to create their own special version number: 2.6.32-431, for example.
While hypothetically they are guaranteeing to protect you from any breaking changes, it makes it an absolute nightmare to guarantee that anything is FIXED. For example, if I am asked "is bug xyz fixed?", I can look in the upstream changelog and see that the bug went away in kernel 3.2, it's very hard to see if that fix made it into Red Hat's version -431. From a stability standpoint, RHEL is wonderful, but from any other, specifically security certification, it's a pit of despair.