MS05-017 Security Bulletin

[crashere]

MS05-017 lists Windows XP SP2 as unaffected, but the fix is not listed in
KB811113 (List of fixes included in Windows XP Service Pack 2). On the other
hand, the fix is listed in the SP3 KB946480 (List of fixes included in
Windows XP Service Pack 3). If this fixed in XP SP2 then why is it not
listed? Why is it listed in SP3? Is SP2 affected?

[John Breakwell (MSFT)]

Hi

This is usually just a matter of how the sequence of events turns out and
its probably something like this:

The code changes needed to get round the vulnerability were put into the
service pack as part of the development process.
This doesn't necessarily require a KB article or formal documentation -
there are tonnes of changes in service packs, major and minor.
Windows XP service pack 2 is dated August 4th, 2004.

The code changes are released as a separate hotfix for SP1 users.
This does require a KB article.
The MS05-017 files are dated March 23rd, 2005.

So when SP2 came out, MS05-017 didn't exist which is why KB811113 does not
include it.
But when SP3 came out, MS05-017 did exist which is why KB946480 includes it.
Windows XP service pack 3 is dated April 14th, 2008.

You could argue that SP2 contains the code changes of MS05-017 and
therefore KB811113 should be updated.
You can always provide feedback at the foot of the KB article web page at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;811113 to request a
change.
I have entered a change request on your behalf - I'm not sure how much
traction we will get with this but it's worth a go.

Cheers
John Breakwell (MSFT)

"crashere" <cras...@discussions.microsoft.com> wrote in message
news:CAED8032-E6D9-4DB8...@microsoft.com...