I think the simple answer is to upgrade your indexers. Upgrading the indexers from 6.2.2 to 6.2.3 wouldn't take a long time nor is it risky. As you're probably aware, best practice is to upgrade indexers before search heads. If you have some dire business requirement not to upgrade the indexers then it would be best to open a support ticket to raise the issue with the folks that would know why 6.2.3 is specifically required for ES 3.3.
Yes, I do see reference in the documentation. But what would be the impact, if any, by keeling the indexers at 6.2.2 and only upgrading the Search head. Do any of the ES3.3 applications that go on the indexers verify version on restart?
The end goal is to have everything at the latest version.
Your best option is to move to 6.2.3. I suggest looking at the release notes to see what bugs on the indexer tier might affect your deployment. If you don't find anything listed for 6.2.2 that concerns you, you can probably keep your indexers at 6.2.2 until you can upgrade.
That's a big "probably," though...there are a lot of unknowns and here on Answers we don't have very much information to work with.
To answer your last question: no, none of the add-ons that ship with Enterprise Security do anything to check versions.