Hi Steve,

I'm not surprised. When you think about it, it makes sense.

The risk of releasing patches without extensive testing is high. Of course, nobody expects patches and hotfixes to get the same amount of testing service packs do. But I'm sure that the people at Microsoft try to get as much as possible of the more important tests done before releasing anything.

If a potential security hazard has been identified in-house but is not public yet, the risk of customers being exploted by hackers is low. After all, they'll have to find the exploit first.

However, once a security hazard is known to the public, it's also known to the hackers. You can be sure that every hacker will try to use it as much as possible before MS releases a patch. The risk for customers to be exploited gets extremely high.

For patches to secure non-public security problems, the choice MS has is to release before finishing all tests (high risk) or postpone release (low risk). For patches to secure publicly known security problems, the choice MS has is to release before finishing all tests (high risk) or postpone release (extremely high risk). In both cases, MS will choose the option with the lowest possible risk.

Best, Hugo