That is not entirely correct. They released 3.0.4 which disabled the RPC server vulnerability so it is safe to use. The 3.0.5 is a fix rather than just disabling. Either version means you are safe. The rushed 3.0.4 to get a safe version available as soon as possible they didn't discover "the bug wasn't completely fixed in it", they always knew that they would then release the full fix later.
It wasn't fixed. Even though CORS is disabled, the vulnerability can still be exploited by using POST request. It's just made more difficult for websites to exploit but it's still possible. 3.0.4 disables the ability to trigger a CORS preflight but didn't disable JsonRPC. 3.0.5 disabled JSONRPC commands.