Service packs are well-tested collections of updates that focuses on a variety of customer-reported concerns with a Microsoft product. They generally fix issues to the product since the product's general availability. Service packs are cumulative - each new service pack contains all the fixes in previous service packs, plus any new fixes. They are designed to ensure platform compatibility with newly released software and drivers, and contain updates that fix issues discovered by customers or via internal testing.
A security update, on the other hand, is an interim update that usually addresses a specific bug or security vulnerability. All security updates offered during a service pack's lifetime are rolled up into the subsequent service pack. Each security update identified by this tool has an associated Microsoft security bulletin that contains more information about the fix. The results of this check identify which security updates are missing, and provides a link to the Microsoft web site to view the details of each security bulletin.
This tool checks to ensure that you have the latest service packs and security updates for the following products and components:
This check is done by using information obtained from Microsoft.com in the form of a signed CAB/XML file (mssecure.xml). This tool downloads this information from Microsoft.com each time it is run. If it is not able to contact Microsoft.com, it will use a version of the database cached on the local machine. There is also an option to perform this check against an approved updates list from a local Software Update Services (SUS) server rather than against the complete list of available updates from the Microsoft.com.
Default Settings: Security update scans executed from the MBSA GUI or from mbsacli.exe (MBSA-style scan) will scan and report missing updates marked as critical security updates in Windows Update (WU), also referred to as "baseline" critical security updates. When a security update scan is executed from mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related security updates will be scanned and reported on. A user running an HFNetChk-style scan can choose to scan for WU critical security updates only, and can suppress notes and/or warnings messages if not desired through the command line parameters.
SUS Scan Option: This option will look for missing security updates included in an approved items list on the SUS server rather than from the full list of available security updates in the mssecure.xml file from the Microsoft web site. When this option is selected in the GUI, MBSA tries to automatically pull the local SUS server name from the local registry. Otherwise MBSA will use the SUS server name that is entered by the user. MBSA connects over HTTP to the specified SUS server and reads the approveditems.txt file to identify security updates which have been explicitly approved by the SUS Administrator. MBSA notes the approved security updates and then looks to a mapping table in the mssecure.xml file to match the SUS security updates to the updates in the XML file. MBSA will then perform the security updates scan based on the selected updates in the mssecure.xml file (which mapped to the approved updates on the local SUS server).
Microsoft Strategic Technology Protection Program
Windows Update Corporate Edition
⌐ 2002 Microsoft Corporation. All rights reserved.