They could get RasPis below 4th gen running outdated software, I guess. I think I read elsewhere that Debian already had a patch out some time ago, so that number is also likely diminishingly small.
Question if I update my server and it has the new SSH (patched) package. Is that enough or do I have to restart the server as well? How can I check if the old SSH is in use currently?
Restart your ssh server to be sure (probably sudo systemctl restart sshd). No need to reboot your server for this.
I don't know how reliable this is, but I usually go into htop to check if stuff needs to be restarted. Processes in red have been replaced or removed since starting.
That said, regular server reboots are a good idea to make sure kernel patches are applied. Can't go wrong with a reboot just in case.
For anyone in RHEL / Fedora land (or using dnf somewhere else), try dnf needs-restarting to list executables that have mismatched files on disk vs memory. The -r flag will hint if a reboot is needed (due to things like kernel or glibc changes)