I'm planning to set up a Linux-VPS and run a PHP site on it. I have read that it's recommended to use PHP Suhosin to patch PHP for security. But isn't PHP patched for security in every new release? or is PHP Suhosin making the security better than what PHP themself plan to do? Or is PHP Suhosin just for older versions of PHP?
SnapOverflow
I think you should understand this in terms of a different approach to security. The Suhosin patch changes some fundamental ways variables and streams are handled and takes a more hard line approach about what is even possible with the language. It is not that PHP itself is not patched to include protection against known compromises, but as a language they choose to allow certain kinds of behaviors that are more risky. Patching with somebody else's idea of what should and should not be allowed might get you a more secure platform in terms of the possible attack surface, but it might also limit you in the PHP software you can run. Some PHP packages might not respond well to the more restrictive rules.
If you are writing your own software from scratch, it sounds like the Suhosin patch set might be a good idea. You should learn best-practice techniques and the most restricted language might be just the way to do that. If you have some package to run that is incompatible with the modified PHP, you might not have this luxury.
PHP is patched for known security holes. Suhosin (like SELinux) protects PHP against unknown security holes.
The feature list on the Suhosin site gives specific answers to the question.
You should note that Suhosin is not so much about patching security holes in PHP itself - rather it is about hardening PHP, which is a broader issue.
As Caleb points out, you may find that some third party PHP code doesn't work under Suhosin. If you have something specific in mind, you could ask specific question about Suhosin for that particular code in the appropriate forum, or just try it and see.