You should upgrade all of those. There are known security problems in 6.3(1) and 6.3(3). You are entitled to 6.3(4) even if you have no support contract (provided you are the registered owner of the equipment.) If you have a support contract it would be even better to upgrade to 6.3(5) as that has a number of bug fixes.
If I recall correctly, there were some VPN related bugs fixed after 6.3(1).
If you do not have a support contract on a device, and you are not still in the warrantee period, then you are not entitled to upgrade the device to 6.3(5).
PIX software is NOT licensed on the basis of "If you own a copy of a version, you can use it on any PIX you have."
There are *selected* security releases that Cisco provides for free, and for those -only-, if you have a PIX with the same minor release number (e.g., 6.3) then you can update. You are, though, not entitled to update a device from a different major or minor release, so if you happened to have a copy of the security release 6.3(4), you would NOT be entitled to use it to upgrade a PIX running 6.2 [unless that PIX was under support.]