From my experience:
If a user reports a bug then the QA time would be right on it. If an in-house tester found a bug after release then we'd probably wait until the next scheduled release to fix it.
Of course, the severity of the bug is always taken into consideration: I assume Microsoft do the same. For example, when writing financial software, if a bug was found that caused figures to be incorrect, we'd patch that straight away. If the GUI was awry then we'd leave it until the next release.
I think severity should be the main consideration, and then you can take into account who knows about it. If it's non-severe and the user doesn't know, then why bother alerting them?