If Windows XP SP2 firewall service is set to manual or disabled when Windows XP SP3 is applied, the Windows Firewall/Internet Connection Sharing (ICS) service and Security Cetner service will be changed to automatic startup. This behavior is by design, for the purpose of increasing the security of Windows XP.
This setting will remain in effect for computers that had the service startup manually altered.
If the service is administratively disabled via domain Group Policy, it will again be disabled after subsequent application of Group Policy. The automatic service startup should only be seen on the first reboot after applying Service Pack 3. To cause GPO settings to be updated immediately on a client, run gpupdate /force from a command prompt.