Anyone who was in employment when SQL Slammer hit is unlikely to leave servers unpatched.

SQL Slammer caused so many problems because it attacked all editions of SQL Server so the DBAs who thought they were safe by applying SP3a to Standard, Developer and Enterprise editions of SQL2000 got a really nasty shock from all the mystery MSDE installations that had turned up in their organisation.

Ideally there should be some auditing software that can track down the various copies of SQLExpress and identify their patch levels.

Things to consider

1. Which copies are internet downloads?

2. Which copies power up a 3rd party application?

3. Can the 3rd party applications be patched?

4. How many copies SQL Express have you got in total

5. Can they be patched remotely from a central point. You don't want 300 employees trying to download a service pack in one go!