Unfortunately, another of the popular testing servers:
https://lastpass.com/heartbleed/
reports "www.icloud.com" as "likely vulnerable" (as of this date and time):
Site:www.icloud.com
Server software:Apache
Vulnerable:Likely (known use OpenSSL)
SSL Certificate:Unsafe (created 12 months ago at Apr 24 00:00:00 2013 GMT)
Assessment:Wait for the site to update before changing your password
For "icloud.com" you get this result:
Site:icloud.com
Server software:Apache
Vulnerable:Likely (known use OpenSSL)
SSL Certificate:Unsafe (created 2 years ago at Jul 18 00:00:00 2012 GMT)
Assessment:Wait for the site to update before changing your password
With conflicting results like these, it's hard to both take and give advice.