Properly deal with partial (single entry) UNION injections.

Got rid of kb.union*, now it's all stored/used from kb.injection.
Minor bug fix with where=2 detection phase.