The chain appears to be KB978338 to KB978886 to KB2563894 to KB2588516 (newest). All four of these updates are approved on our WSUS server. KB978338 is listing as Not Applicable on all machines, because it has been superseded. This is the behavior I would expect. However, our security office is reporting that KB978338 should still be installed on all machines because its actual effect is not replicated by any of the updates that follow it. Here is the analysis I was sent:
KB978886 applies to Vista SP1 only. The rollout of SP2 did not address the ISATAP vulnerability and reintroduces it.
KB2563894 only updates two files (Tcpip.sys and Tcpipreg.sys). It does not update the 12 other affected ISATAP, UDP, and NUD .sys and .dll files. (MS11-064)
KB2588516 addresses malformed continuous UDP packet overflow. But does not address the ISATAP related NUD and TCP .sys and .dll files. (MS11-083)
So yes, many IP vulnerabilities. But each KB addresses specific issues that do not cross over to other KBs.
We can install KB978338 by manually running the .MSU file, but we aren't certain if that will overwrite the couple files that get updated by later patches since we would be installing the patch out of order.
Is the above analysis correct? Is the chain of supersession incorrectly defined? If it is, what is the proper way to report it so that it can be changed by the correct Microsoft team? We are currently using 32-bit and 64-bit installations of Vista SP2.
Note: I should mention that I posted this on Technet as well. I will keep this up-to-date with any information I get on there.
Check the versions of these files on one of the systems that security is showing as needing KB978338.
Bfe.dll
Fwpkclnt.sys
Fwpuclnt.dll
Ikeext.dll
Iphlpsvc.dll Netio.sys
Netiomig.dll
Netiougc.exe
Tcpip.sys
Tcpipcfg.dll
Tcpipreg.sys
Tunmp.sys
Tunnel.sys
Sometimes the detection can get jacked up by one or more of the files being on a different "branch" than typical security updates. The files in this package in particular, due to the core nature and the large number of affected files, is also the subject of many other QFE branch hotfixes.
Security updates are usually in what is known as the General Distribution Release (GDR) branch. Hotfixes that address specific issues are in what is known as the Quick-Fix Engineering (QFE) branch, also know as Limited Distribution Release (LDR). QFE files usually include GDR fixes, but GDR fixes may not include QFE fixes. The files typically re-converge at service pack time. (Most public QFE hotfixes that have passed full testing are usually included in the next service pack).
If any of these files got on the QFE branch, it may already have the required fix. Most of the time the detection works well, and the security updates usually have files for both branches, in case you have one or more files on the QFE branch. There are typically several versions of each file updated, depending on the number of service packs that are available for the product. For KB978338, that is why there are six different versions of tcpip.sys included. 6.0.6000.17021, 6.0.6000.21226, 6.0.6001.18427, 6.0.6001.22636, 6.0.6002.18209, and 6.0.6002.22341.
More information:
http://blogs.technet.com/b/mrsnrub/archive/2009/05/14/gdr-qfe-ldr-wth.aspx
Looks like the chain is indeed screwed up (it keeps going, 978338 supersedes 974112) - while the only real supersede relationship that's noted in the KBs is 2588516 replacing 2563894.
However, systems should still detect if they need an update that's been superseded. If they're not detecting, they may already have had the update installed - perhaps with the SP1 version of the same patch, so that the system files are already the correct versions but the Vista SP2 update doesn't show as installed?
Or are the superseded updates declined? That'd prevent detection, too.
Do the superseded updates show up in add/remove when you show installed updates? And what happens when you run a manual check against the Windows Update servers instead of your WSUS, do they show up as needed?
This one caused some confusion for us as well. If you just check the Supersedence column, you'll see the non-XP ones show the "superseded by another, supersedes others" indicator. However, checking the update details themselves, you'll see that the "Updates superseding this update" has an entry of "None". That leads me to believe that the above info, that some files for this patch are updated by newer patches, but not ALL of them, it behind this issue. Perhaps Microsoft needs to re-categorize this patch or release a Roll-Up including files from all 4.