I asked Cisco TAC this question re no indication of hotfix being applied, bith FMC & CLi "sho version" show 6.4.0.9 as the current version AFTER the hotfix is applied.
According to Cisco this is the correct behaviour ! Weird, as the hot fix has a version number. Their advice is to do the following to check status.
"Another way to check if hotfix is applied is from FTD CLI.
- Log in to FTD cli , then gain root access by typing “sudo su”.
- Navigate to the directory /ngfw/var/log/sf
cd /var/log/sf
- Navigate to the hotfix directory and check the status.log file.
In below example, I’m checking the status.log file of patch 6.4.0.9, you can check the hotfix 6.4.0.10-2 directory via same procedure
root@firepower:/opt/cisco/csp/applications# cd /ngfw/var/log/sf/
root@firepower:/ngfw/var/log/sf# ls -la
total 260
drwxr-xr-x 4 root root 4096 Sep 20 04:02 .
drwxr-xr-x 13 root root 8192 Sep 21 04:02 ..
drwxr-xr-x 12 root root 4096 Jul 9 16:39 Cisco_FTD_SSP_Patch-6.4.0.9
-rw-r--r-- 1 www www 46 Jul 9 16:39 SW_update_info.txt
-rw-r--r-- 1 root root 17520 Sep 21 14:09 data_service.log
-rw-r--r-- 1 root root 5761 Sep 20 03:33 data_service.log.1.gz
-rw-r--r-- 1 root root 7744 Sep 14 03:41 data_service.log.2.gz
-rw-r--r-- 1 root root 5990 Sep 6 03:41 data_service.log.3.gz
-rw-r--r-- 1 root root 7539 Aug 31 03:49 data_service.log.4.gz
-rw-r--r-- 1 root root 508 Jul 9 16:37 db_manage.log
root@firepower:/ngfw/var/log/sf# cd Cisco_FTD_SSP_Patch-6.4.0.9/
root@firepower:/ngfw/var/log/sf/Cisco_FTD_SSP_Patch-6.4.0.9# cat status.log
from status.log file, you can confirm if the hotfix is applied."
Hope that helps.