Frequently Asked Questions about the Security Bulletin Search Tool

The Security Bulletin Search Tool lets you easily and quickly find the security updates available for Microsoft products.

On December 13, 2004 Microsoft released an update to the Security Bulletin Search Tool. The update includes improvements to the search results displayed when a search is conducted with the “show only bulletins that contain updates that have not been replaced by a more recent update” selected.  This will allow customers to more consistently determine which updates have been superseded.

On October 27, 2003, Microsoft released a new version of the Security Bulletin Search Tool. The updated tool provides an attractive new interface, but the changes go far beyond the cosmetic. The following features have been added:

A bulletin is an announcement that a new update has been issued. A bulletin might cover one or more updates and discusses the vulnerability fixed by the updates. Typically, a bulletin announces updates for several products within the same product family. For example, a typical Windows security bulletin might include updates for Windows 2000, Windows XP, Windows Server 2003, and any other Windows products as appropriate. Each update is product-specific and might replace other updates issued earlier for that product in another bulletin. It’s important to note that, while the search tool displays bulletins, it filters your search based on the updates announced in that bulletin.

The Product/Technology box lets you select the product or technology you want update information for. Select “All” to see the updates available for all Microsoft products, or select a particular product to see only the updates available for it. If you select a particular product, the Service Pack box lets you refine your search further to see only the updates available for a particular service pack of the product you've selected.

Once you select a service pack, you can also search only for updates that have not been replaced by a more recent update. This allows you to filter the search to only show those updates you need to deploy. Note that this option (to search for updates that have not been replaced by a more recent update) is available only if both the product and the service pack have been selected.

You can also use the severity rating check boxes to filter the search based on the severity rating of a update. You can use the Release Date box to show only those bulletins issued within a particular time frame.

The output from the search lists the security bulletins that provide updates or workarounds for the product and service pack combination you've selected. Let's look at two examples:

Gold is the term used to describe the originally released version of the product—that is, the version of the product before any service packs have been applied.

The severity rating system provides a single rating for a vulnerability in a software product. The definitions of the ratings are:

For more information click here.

Not necessarily. If you’re running a product or service pack that is not supported by Microsoft’s product lifecycle policies, your system may not be secure even if you apply all the updates provided by the search tool. Microsoft generally develops updates only for the current and next-to-current versions of a product and the current and next-to-current service packs for each. If you are using a product or service pack that is no longer supported, a update might not be available for it, even though it might be affected by the vulnerability. To read more about Microsoft’s product lifecycle policies, go to http://www.microsoft.com/lifecycle.

Occasionally, a security fix is included in a service pack and not made available as a update. For example, Microsoft might take this step if a fix is so complex that it requires the level of regression testing that can only be applied to a service pack. In addition, some security updates can only be installed on recent service packs because of dependencies on particular versions of the product files.

To ensure that you have the latest set of security fixes, you should install the latest service pack and then apply the updates appropriate for your product and service pack.

Whenever we develop a service pack, we must establish a cutoff date after which we don't include any additional changes. This ensures that there is adequate time to test the service pack before releasing it to the public.

Security updates that are released after the cutoff date are not included in the service pack and should be applied to systems even after the service pack has been applied. If you apply these updates to your system prior to installing the service pack, you do not need to install them again after applying the service pack. The service pack will not overwrite these files.

You should apply both.

Security updates are released to address specific security vulnerabilities. Many times, these vulnerabilities are not applicable to a specific installation. You should carefully read each security bulletin to determine if the update is applicable to your situation.

Service packs, on the other hand, are planned releases that contain fixes for both security and non-security issues. Service packs should be applied to your system to ensure you have the latest version of fixes available for your product. More information on the choice between service packs and updates is available in the security essay, "Why Service Packs Are Better Than Updates".

No. Applying updates is a critical step toward having a secure system, but it's not sufficient by itself. Even a fully updated system might be insecure if it's not configured appropriately for its role. For further guidance on secure configurations, visit Microsoft TechNet's Security Center. There are also a number of other security resources available throughout the TechNet Security site.

You must first select a product and service pack to enable this setting. Bulletins are not replaced, only updates are. Since updates are issued for a specific service pack, it is not possible to search for bulletins that contain "updates that have not been replaced" unless both a product and a service pack have been selected.

Bulletins often contain updates for several products. A update may have a high severity for one product and a lower severity for another.

For example, the issues discussed in MS03-020 were Critical for Internet Explorer 6.0 Service Pack 1 and for Windows XP Service Pack 1, but were only Moderate for Windows Server 2003 because Internet Explorer 6.0 is installed on that operating system in a locked-down configuration that prevents these issues from being exploited.

A bulletin's severity rating equals the highest update severity among all updates within the bulletin.

Products ship with various components and updates can be issued for an individual component, as opposed to the operating system itself. Since Windows 2000 Service Pack 3 ships with MDAC, the search results include updates for MDAC.

Only service packs that have a update released for them appear in the list. If your service pack is not listed, there are no updates for it.

To learn about the new bulletin release process and formatting implemented on October 15, 2003, please read "Revamping the Security Bulletin Release Process".