I'm very curious about what you mean by patching your server.

We do patch our Windows servers every month, have software to keep track of what was patched and what was not, and patch what needs to be fixed, etc... But as far as SQL, there were 2 security patches last year that were completed this year. That's all in several years (the only for 2005 and not sure if SQL 2000 had any before that), and even those were minor and had work-arounds.

So if you are talking about Windows, yes we keep everything patched, and have done the same with these security patches in SQL.

I'm curious now is if you are advocating applying every CU when they are released. If yes, how does that relate to database security?