It does not mean there is no microcode at all. Not all issues can be fixed by the microcode. Microcode is not magic, it can't change fundamental architecture of the chip.
Also, if you are talking about GoFetch specifically, then it can be fixed by disabling DMP unit, which can be done from the kernel code. And it only really matters during security processing, so you can switch it on and off. So, while it can't be fixed, it can be worked around in the software at a very slight performance degradation.