Believe it or not I don't work in IT, haven't for 7 years. Yes I work with Microsoft's Windows XP Embedded and as a result I have to know a lot about the OS, the kernal, Win API calls etc. But I don't have to support networking day in and day out. So I've gotten a bit sloppy maybe. My test system at work uses a Lxxxsys Ethernet router to separate my test systems from the internal corporate network. Mostly so I don't create chaos for the IT guys but also because that's what we've unfortunately been using in the field. For at least the last 4 years. Mine is probably one of the early ones, I don't know for sure. I also have one of them at home. Do they have the same firmware? Probably not. My home router has wireless 802.11b/g on it, the office routers are CAT5 only.
All of my SP3 tests were done behind one or the other of those two routers. Turns out that others in the company are also using the same sort of routers (they can order them from inventory) for similar reasons and having similar problems.
Here's the scenario as it plays out. Using the router, you update your system to SP3 by either downloading it through the router using Windows Update or you do like I tried to do in the beginning and use an ISO or the packaged EXE file for the SP. It doesn't matter which scheme you use, they all fail to successfully install any more patches or updates or Internet Exploder 7, period. They will download but they will not install. Interesting.
You can update SP2 with all 99+ patches offered and everything works grand. They download, they install, everything is peachy. Just don't put SP3 on the computer.
You take the router out of the picture by-passing it and patching around it and setting your IP to match the once upstream network, everything comes down and installs perfectly. The settings in the router do not have any restrictions on connections originating inside the LAN on the router just like Windows Firewall (which BTW was off for all of these experiments). You can connect to anything and do ftp, http, https, ntp, dns, smtp, pop3, imap, etc. no problems. But once SP3 is on the box, updates don't work from behind the router.
I have not done enough experiments or net-sniffing to figure out what exactly was going on, but I will.
There is a surprise benefit to this scenario. We didn't want anybody in the field doing Windows Updates on our rental computers. Now if we get them up to SP3 before we send them out, we can keep them there since the units in the field can't get past the router!