Don't change your passwords on unpatched servers, or you'll be more at risk not less, now that the bug exploit is public. You can check any server here:
and :443 to the domain name in most cases,
(wait for them to patch before logging back in to them.)
Also while this bug has been in the code for 2 years, it was only discovered by researchers less then 2 weeks ago and has only been public for a number of days. There has been no indication that anyone nefarious has known about the bug prior to this unless they've been really low key with their usage of it. So if you haven't logged into a service in the last few weeks, likely your login information on that service if unique, would not have been compromised as it wouldn't have been in memory from a recent login. Can't hurt to change it anyway, but that is worth considering in your risk assessment.