In the 'good ole days' of NT, the rule of thumb was simple... if you had installed a service pack on a server and subsequently installed a piece of software that prompted you to insert the OS disc which then installed un-patched components, then you simply re-installed the latest service pack immediately afterwards to ensure that the new components got patched.
In today's auto-update world...when you have a fully patched server and you install a windows component that requires the OS disc to install additional items... is the auto-updates smart enough to always ensure every component is updated properly? Seems to be a pretty bold assumption.
To clarify further, let's pick an example...say you have IIS installed but not SMTP component on a 2003 server box. Years have gone by, along with many, many updates on the system. Someone then installs something that requires the SMTP component pieces and it now gets installed. If there are any new DLL's unique to this component, which were previously not on the system, then they are installed in their unpatched state from the OS disc.
Updates would have to know that IIS was fully patched prior to SMTP component, but now individual pieces need to be updated.
In general, do you rely on windows updates to properly handle this situation?
See http://support.microsoft.com/kb/274215/EN-US/
This is Windows 2000 but it also applies to W2k3. The upshot is that you do not need to reapply service packs after using Add/Remove Windows Components.
JR
Windows Update scans your system config every time it runs to see what it needs to offer you, so yes. Similar to your example I have installed IIS, gone a bit of time while getting updates from Windows Update, then installed ASP at a later time. Windows Update detected that ASP was there and began offering patches for it.
You could also ensure you slipstream SP2 into the 2k3 disks so that when prompted you install SP2 components.
That way Windows Update will only download post-SP2 updates/fixes for that particular component.