The situation is odd, said Andrew Storms, director of security operations at nCircle Network Security, and more than a little confusing. "Microsoft calls its service packs cumulative updates, and tells customers they're the new baseline, in this case for installing XP. I don't know of another instance where they've not included all the security patches with a service pack."
Microsoft's own marketing and technical documentation claims that its service packs are all-inclusive. A white paper issued early last month, 'Windows XP Service Pack 3 Overview' (download PDF), states on its title page that: "Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system, and a small number of new updates to ensure that Windows XP customers have the latest updates for their system."
"You'll still need to update Flash after XP SP3," noted Storms. "It still requires manual intervention."
Consumer computer users will be the most likely affected by the missing update, Storms said, since enterprises do - or at least should - test a service pack before deploying it to, for example, determine what currently-supported component or application might be overwritten by the update. "The real significance of this is on the consumer side," said Storms. "In all likelihood, they probably wouldn't notice anything amiss until the next Patch Tuesday, when they read that they have to update Windows and go to Windows Update."
According to Microsoft, Windows Update should display MS06-069 as an available update the first time the service is called after a XP SP3 update. If the user has enabled Windows Update automatic updating, MS06-069 should be downloaded and installed.
Even then, however, users will need to further update Flash Player by visiting the Adobe website. On Tuesday, Microsoft again declined to explain why it had not included an update to Flash Player 220.127.116.11 - the most current edition - with XP SP3.
Storms speculated that Microsoft might issue a patch for the third-party software soon. "It wouldn't surprise me," he said. "Adobe took a lot of flack last week about the SQL-injection attacks."
Storms was referring to last week's disclosure that hackers have been using SQL-injection attacks to compromise legitimate websites, then instructing those sites to redirect visitors to malware hosting servers that try multiple exploits - including one that triggers a bug in Flash Player 18.104.22.168 - to hijack PCs.
"Adobe may have gone to Microsoft and asked for help to update customers," said Storms. "In conversations with our clients, it's clear that users don't update Flash unless they have to."
Microsoft's next security update is scheduled for next Tuesday, June 10.
Users running XP SP3 can determine which version of Flash Player is installed by calling up this Adobe website in their browser. Adobe has recommended that all users update to Version 22.214.171.124.