Service Packs and Security Updates

Check Description

This check determines which available service packs and security updates are not installed on the scanned computer.

Service packs are tested collections of updates that focus on a variety of customer-reported concerns with a Microsoft product. Service packs provide fixes for issues that have been reported after the product has become generally available. They are cumulative, that is, each new service pack contains all the fixes in previous service packs, plus any new fixes. They are designed to ensure platform compatibility with newly released software and drivers, and contain updates that fix issues discovered by customers or by internal testing.

Security updates, on the other hand, are interim updates that usually address a specific bug or security vulnerability. All security updates offered during a service pack's lifetime are combined into the subsequent service pack. Each security update identified by this tool has an associated Microsoft security bulletin that contains more information about the fix. The results of this check identify which security updates are missing, and provides a link to the Microsoft Web site to view the details of each security bulletin.

Microsoft® Baseline Security Analyzer (MBSA) checks to ensure that you have the latest service packs and security updates for the following products and components:

This check is performed by using information obtained from Microsoft.com in the form of a signed .cab or .xml file (Mssecure.xml). The tool downloads this information from Microsoft.com each time it is run. If it is not able to contact Microsoft.com, it will use a version of the database cached on the local machine. There is also an option to perform this check against an approved updates list from a local Software Update Services (SUS) server, rather than against the complete list of available updates from Microsoft.com.

Default Settings.  Security update scans executed from the Microsoft Baseline Security Analyzer (MBSA) graphical user interface (GUI) or from Mbsacli.exe (MBSA-style scan) will scan and report missing updates marked as critical security updates in Windows Update (WU), also referred to as baseline critical security updates. When a security update scan is executed from Mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related security updates will be scanned and reported. A user running an HFNetChk-style scan can choose to scan for WU critical security updates only, and can suppress notes or warnings, if not desired, through the command-line parameters.

SUS Scan Option.  This option will search for missing security updates included in an approved items list on the SUS server, rather than from the full list of available security updates in the Mssecure.xml file from the Microsoft Web site. When this option is selected in the GUI, MBSA attempts to automatically obtain the local SUS server name from the local registry. Otherwise, MBSA will use the SUS server name that is entered by the user. MBSA connects over HTTP to the specified SUS server and reads the Approveditems.txt file to identify security updates that have been explicitly approved by the SUS administrator. MBSA notes the approved security updates and then looks at a mapping table in the Mssecure.xml file to match the SUS security updates to the updates in the XML file. MBSA will then perform the security updates scan based on the selected updates in the Mssecure.xml file, which is mapped to the approved updates on the local SUS server.

Additional Resources

Microsoft Hotfix and Security Bulletin Service

Microsoft Strategic Technology Protection Program

Microsoft Software Update Services


©2002-2004 Microsoft Corporation. All rights reserved.