Security Updates, Update Rollups, and Service Packs

Check Description

This check determines which available updates are not installed on the scanned computer. Updates being scanned for security fall into three categories related to the life cycle of a security fix.

Security updates are interim updates that usually address a specific bug or security vulnerability. All security updates offered during a service pack's lifetime are combined into the subsequent service pack. Each security update identified by this tool has an associated Microsoft security bulletin that contains more information about the fix. The results of this check identify which security updates are missing, and provides a link to the Microsoft Web site to view the details of each security bulletin.

Update rollups are a cumulative set of security fixes. These updates are released periodically, and because they are smaller than full service packs tend to be easier to deploy. Because update rollups are focused on security issues, they also tend to be easier to deploy than multiple security updates. For example, when updating a computer that has been recently installed and may have no security updates protecting it.

Service packs are collections of security and non-security updates that focus on a variety of customer-reported concerns with a Microsoft product. Service packs provide fixes for issues that have been reported after the product has become generally available. They are cumulative, that is, each new service pack contains all the fixes in previous service packs, plus any new fixes. They are designed to ensure platform compatibility with newly released software and drivers, and contain updates that fix issues discovered by customers or by internal testing.

When your computer is running the latest service packs and the latest update rollups you can minimize the number of additional, individual security updates needed.

Microsoft® Baseline Security Analyzer (MBSA) checks to ensure that you have the latest security updates, update rollups and service packs for all products being serviced by the Microsoft Update site. This includes, but is not limited to the following:

Microsoft® Windows 2000, Windows XP, Windows Server 2003
Internet Information Server (IIS) 5.0, IIS 6.0
SQL Server™ 7.0, SQL Server 2000 (including Microsoft Data Engine)
Internet Explorer 5.01 and later
Windows Media Player 6.4 and later
Exchange Server 2000, Exchange Server 2003 (including Exchange Admin Tools)
Microsoft Data Access Components (MDAC) 2.5, MDAC 2.6, MDAC 2.7, MDAC 2.8
Microsoft Virtual Machine (VM)
MSXML 2.5, MSXML 2.6, MSXML 3.0, MSXML 4.0
Microsoft Office XP and later
Microsoft Windows Script 5.1 and later
Microsoft DirectX

See the Microsoft Web site for the current list of products

This check is performed by using information obtained from Microsoft.com in the form of a signed .cab file, a Windows Server Update Services (Update Services) server, or the Microsoft Update site. The tool downloads this information from Microsoft.com each time it has changed. If it is not able to contact Microsoft.com, it will use a version of the offline catalog cached on the local computer. There is also an option to perform this check only against an approved updates list from a local Update Services server, or only against the complete list of available updates from Microsoft Update.

Default Settings. Security update scans executed from the Microsoft Baseline Security Analyzer (MBSA) graphical user interface (GUI) or from the Mbsacli.exe command line interface (CLI) will scan and report missing updates marked as security updates, update rollups or service packs in Microsoft Update (MU). If the computer has an Update Services server assigned by the system administrator that does not have the updates in the specific categories approved, those items will be given an informational score in the report.

Additional Resources

Microsoft Security Bulletin Search

Microsoft Windows Server Update Services