The original version of the patch, which corrects a remote code execution flaw in the Windows Bluetooth stack, failed to properly fix the vulnerability for Windows XP users, according to Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center).
[ SEE: Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday ]
Budd said an initial investigation into the hiccup identified "human issues" but he did not elaborate.
After we released MS08-030 we learned that the security updates for Windows XP SP2 and SP3 might not have been fully protecting against the issues discussed in that bulletin. As soon as we learned of that possibility, we mobilized our Software Security Incident Response Process (SSIRP) to investigate the issue.
Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not.
Our engineering teams immediately set to work to address the issue and release new versions of the security updates for Windows XP SP2 and SP3. These are available now and are being delivered through the same detection and deployment tools as the original update.
It's important to note that this re-release only applies to users running Windows XP SP2 or SP3. "If you’ve deployed security updates for MS08-030 for other versions of Windows, you don’t need to take any action for those systems," Budd said.
Microsoft has had trouble in the past with faulty security updates but it's somewhat rare for to see a bulletin re-release because the patch missed an entire OS version. The very reason we have a Patch Tuesday release cycle is to avoid situations where IT admins cannot properly prepare for testing and deploying updates.
Having two Patch Days in a month is borderline unacceptable, especially when it involves the "human issues" excuse.