That's correct. To sniff traffic without replacing the certificate with one of their own they would need the the private key which was used in a session. (That key might have been derrived from the server private key, but again nothing the CA has access to.)