Compared to 1.2.5, version 1.2.5.1 has only changed the cookie handling, resolving the vulnerability you mentioned. You can see in the diff that only 3 files were changed, all related to this issue.
Play 1.2.6 however contains all the changes since the release of 1.2.5 last year. Most of the changes (maybe all, I did not read the commit logs and corresponding issues in detail) seem to pertain to non-critical bugfixes.