Clients[1] are absolutely vulnerable too. But again, I'm not aware of any code that actually uses MSG_PEEK.
[1] Really, there isn't any distinction at the kernel level between a UDP "client" and "server". It's the same set of syscalls being used on both sides, the difference is just who speaks first.
