Here is exactly what the MS site says:

On the front page for NT Server:
Note Security updates for Internet Information Server 4.0 (IIS 4.0) will be
available soon from the Windows Update Product Updates catalog. To get these
updates now, go to the Microsoft TechNet Web site for the latest IIS updates

On the FAQ page for Windows Update:
Has Windows Update always provided security fixes and other updates for
Internet Information Server 4.0 (IIS 4.0) and Internet Information Services
5.0 (IIS 5.0)?

No. On May 23, 2001, Windows Update offered a cumulative package of critical
updates for IIS 5.0 for the first time. While this package does not include
all IIS updates released to date, it does provide a combination of the most
recent fixes that were released between March 2000 and now. For updates that
were released prior to March 2000, go to the TechNet page for Windows Web
services (IIS). When new security fixes or other critical updates for IIS
are created, this package will be replaced with a new package, which will
include both the new updates, and all of the fixes in the previous package.
This way, no matter how often you visit Windows Update, you'll know you're
always getting the most recent updates for your IIS products.

When a new security bulletin is available on the Microsoft TechNet Security
Web site, is it also available on Windows Update?

There is often a delay between the time that a security bulletin is posted
to the TechNet Security site, and when the security update becomes available
on Windows Update. This is because new content is added to Windows Update on
a scheduled timetable. While Windows Update makes every effort to release
important security updates as quickly as possible, new content must be
tested and verified to ensure that Windows Update offers you only the
updates you need for your particular computer. Typically, updates for
supported products appear on Windows Update anywhere from a few days to a
few weeks from the time they are announced on the TechNet site. If you know
which particular version of an update applies to your computer and you don’t
want to wait to get it from Windows Update, you can download the update
directly from the security bulletin Web page.

So if you are getting hit by a virus that uses a new exploit the hotfix you
need may not be on Windows Update, and it also doesn't specify how often
they redo this package. Do they recreate the package after each hotfix is
created.

However if you downloaded the Post SP6a Security Rollup it contains the
hotfix that corrects the IIS vulnerability that Nimda uses, and in the case
of Win2k. SP2 is supposed to patch the same vulnerability in IIS 5.0

Greg

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]