I was scanning through Microsoft Security Bulletin MS08-006 and saw the Aggregate Severity Rating was ‘Important’ for all versions of Windows XP and Windows 2003. Because no critical ratings were listed, I felt secure in waiting a day or two before applying this patch. I tend to wait for others to find patch problems before I apply them to my vital machines.
Luckily Susan pointed out that in fine print at the bottom of the Security Bulletin is the following:
Note Supported editions of Windows Small Business Server 2003 contain the same affected code as Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2. However, for the ASP Vulnerability (CVE-2008-0075), default configurations of Windows Small Business Server 2003 have a greater exposure to the same vulnerability and therefore merit a severity rating of Critical.
Gee, thanks Microsoft for putting all the effort into making sure security professionals are aware that Small Business Server has this critical vulnerability. Talk about being the red headed stepchild of the server world.