If you just want to compare the hard coded changes to the changes from SAP you could also compare the customizing tables via an RFC call and transaction OY19. Compare the relevant tables after the upgrade in the dev / sandbox system to the prod system in the old state.
a sample procedure would be:
OY19 - USOBT on EHP7 to USOBT_C on "old" system
The relevant tables are: USOBT (SAP proposals) USOBX (SAP check values) USOBT_C and USOBX_C are the customer equivalents.
If you are using proposals for org.levels - see notes 727536 and 1624104.
The listed modifications are the changes done by SAP. Good security developers will set a filter on the changes objects and know the impact on their security concept.
- This is basically step 2b in SU25 but without starting the whole process. Above advises are to be considered too but sometime a simple comparison between the hard facts is more transparent than the SU25 tool by SAP.