From my experience:

If a user reports a bug then the QA time would be right on it.  If an in-house tester found a bug after release then we'd probably wait until the next scheduled release to fix it.

Of course, the severity of the bug is always taken into consideration: I assume Microsoft do the same.  For example, when writing financial software, if a bug was found that caused figures to be incorrect, we'd patch that straight away.  If the GUI was awry then we'd leave it until the next release.

I think severity should be the main consideration, and then you can take into account who knows about it.  If it's non-severe and the user doesn't know, then why bother alerting them?