The short answer is: you do not get a single new feature by backporting.
Red Hat (from which CentOS is derived) has a pretty good article on what they do with security updates and what the concept of backporting is.
The highlights are:
When we (Red Hat) backport security fixes, we:
• identify the fixes and isolate them from any other changes,
• make sure the fixes do not introduce unwanted side effects, and
• apply the fixes to our previously released versions.
The first bullet is the one directly related to your question. When, in your example the PHP project, releases a new minor version you can check the Change Log and will see each minor release is a combination of bug fixes, security updates and new features.
Red Hat will identify the code changes that are relevant bug and security fixes and apply only those to the code base of the version they shipped with your major release. New features are excluded from the patches they apply. So you still end up with version 5.3.3 and all (no more, no less) features that were included in the original 5.3.3 release, but with fewer bugs.
The goal is to provide long term (ABI/API) stability for third party developers and (enterprise) customers. You don't have to test and possibly update your custom application each time an open source project releases an update. Your platform remains secure, yet the libraries and API's etc. remain unchanged (or rather stable).
In some cases there's Red Hat will release alternate newer versions of software package during the life-cycle of a major release, with the software collection channels. You don't get to those versions by simply upgrading and applying patches, you have to explicitly enable those repositories and then manually install the newer version (e.g. install PHP 5.4 instead of 5.3.3 in CentOS with yum install centos-release-SCL and yum install php54 .
