Why isn't KB935448 a re-release of MS07-008?

More precisely, why isn't the security patch referred to by KB935448 treated
as a re-release of the XP SP2 security patch referred to by MS07-008? Sure,
it fixes no new vulnerabilities; if you've already installed MS07-008 and are
having no problems with it (such as installing the XP SP2 patch referred to
by MS07-017), then there is no security concern to address by installing the
new patch (the patch currently available from KB935448).

If you have installed the security patch referred to by MS07-017, and now
have a "The system DLL user32.dll was relocated in memory." message, you
should read the 935448 knowledge base article. The 935448 package replaces
hhctrl.ocx.

As I read this, it looks like XP SP2 users who have installed MS07-008 and
MS07-017 and have one or more of a list of products installed, find they
should replace hhctrl.ocx with a patch referred to by 935448.

This seems a lot like a re-release of MS07-008. We've seen that before;
we've seen patches re-released even though there is no security benefit to
the new patch.

What is different this time?

The fix is in a different component, hhctrl.ocx. How would you re-release
MS07-008 if the fix is not in one of the files included in that update?

Also, a re-release implies that most customers do have to reinstall the fix.
While this isn't a big issue with home PCs, for enterprise customers this
can be very expensive.

The MSRC blog pointed out that tomorrow, the KB935448 will be released on WU
& AU & WSUS, targetting those systems known to be affected, but not
necessarily deploying the update to millions of machines that don't need the
fix.

"pen" <> wrote in message
news:A1C4DEE2-88DB-4E85-BEE1-...
> More precisely, why isn't the security patch referred to by KB935448
> treated
> as a re-release of the XP SP2 security patch referred to by MS07-008?
> Sure,
> it fixes no new vulnerabilities; if you've already installed MS07-008 and
> are
> having no problems with it (such as installing the XP SP2 patch referred
> to
> by MS07-017), then there is no security concern to address by installing
> the
> new patch (the patch currently available from KB935448).
>
> If you have installed the security patch referred to by MS07-017, and now
> have a "The system DLL user32.dll was relocated in memory." message, you
> should read the 935448 knowledge base article. The 935448 package replaces
> hhctrl.ocx.
>
> As I read this, it looks like XP SP2 users who have installed MS07-008 and
> MS07-017 and have one or more of a list of products installed, find they
> should replace hhctrl.ocx with a patch referred to by 935448.
>
> This seems a lot like a re-release of MS07-008. We've seen that before;
> we've seen patches re-released even though there is no security benefit to
> the new patch.
>
> What is different this time?
>

MS07-008 replaces Hhctrl.ocx (with version 5.2.3790.2847, size 546,304, dated
January 23, 2007)
The 935448 package replaces Hhctrl.ocx (with version 5.2.3790.2847, size
546,304, dated April 2, 2007)

It is the same component. Not only the same component, the same version. MD5
hashes don't match, though. That usually leads to a configuration management
problem that enterprise customers find difficult to manage.

I figured the answer would be either:
- Insufficient regression testing. Can't roll it out widely without further
regression testing. Or:
- Bowing to enterprise customer pressure to not re-release patches. Their
internal procedures aren't designed to reset their progress counters to zero
and begin again.

Frankly, enterprise customers aren't equipped to handle this mechanism
either. MS07-017 offers a patch they can't install without determining what
to do the the 935448 package. If they're using SMS, they don't get this patch
through the ITMU. They're still stuck with designing a way to address the
935448 package and the MS07-017 package at the same time.

Not calling the 935448 package a re-release of MS07-008 leaves it to the
enterprise customer to figure out an answer.


"John [MSFT]" wrote:

> The fix is in a different component, hhctrl.ocx. How would you re-release
> MS07-008 if the fix is not in one of the files included in that update?
>
> Also, a re-release implies that most customers do have to reinstall the fix.
> While this isn't a big issue with home PCs, for enterprise customers this
> can be very expensive.
>
> The MSRC blog pointed out that tomorrow, the KB935448 will be released on WU
> & AU & WSUS, targetting those systems known to be affected, but not
> necessarily deploying the update to millions of machines that don't need the
> fix.
>
> "pen" <> wrote in message
> news:A1C4DEE2-88DB-4E85-BEE1-...
> > More precisely, why isn't the security patch referred to by KB935448
> > treated
> > as a re-release of the XP SP2 security patch referred to by MS07-008?
> > Sure,
> > it fixes no new vulnerabilities; if you've already installed MS07-008 and
> > are
> > having no problems with it (such as installing the XP SP2 patch referred
> > to
> > by MS07-017), then there is no security concern to address by installing
> > the
> > new patch (the patch currently available from KB935448).
> >
> > If you have installed the security patch referred to by MS07-017, and now
> > have a "The system DLL user32.dll was relocated in memory." message, you
> > should read the 935448 knowledge base article. The 935448 package replaces
> > hhctrl.ocx.
> >
> > As I read this, it looks like XP SP2 users who have installed MS07-008 and
> > MS07-017 and have one or more of a list of products installed, find they
> > should replace hhctrl.ocx with a patch referred to by 935448.
> >
> > This seems a lot like a re-release of MS07-008. We've seen that before;
> > we've seen patches re-released even though there is no security benefit to
> > the new patch.
> >
> > What is different this time?
> >
>
>

I'm having problems with this, I know just enough to get around a computer
and the patch has stopped my computers realtek sound from working properly. I
found the patch that is mentioned here and downloaded it and nothing changed.
Do I have to delete something to get it working, or am I stuck until MS
updates it even more, the patch notes just confused me even more

"pen" wrote:

> MS07-008 replaces Hhctrl.ocx (with version 5.2.3790.2847, size 546,304, dated
> January 23, 2007)
> The 935448 package replaces Hhctrl.ocx (with version 5.2.3790.2847, size
> 546,304, dated April 2, 2007)
>
> It is the same component. Not only the same component, the same version. MD5
> hashes don't match, though. That usually leads to a configuration management
> problem that enterprise customers find difficult to manage.
>
> I figured the answer would be either:
> - Insufficient regression testing. Can't roll it out widely without further
> regression testing. Or:
> - Bowing to enterprise customer pressure to not re-release patches. Their
> internal procedures aren't designed to reset their progress counters to zero
> and begin again.
>
> Frankly, enterprise customers aren't equipped to handle this mechanism
> either. MS07-017 offers a patch they can't install without determining what
> to do the the 935448 package. If they're using SMS, they don't get this patch
> through the ITMU. They're still stuck with designing a way to address the
> 935448 package and the MS07-017 package at the same time.
>
> Not calling the 935448 package a re-release of MS07-008 leaves it to the
> enterprise customer to figure out an answer.
>
>
> "John [MSFT]" wrote:
>
> > The fix is in a different component, hhctrl.ocx. How would you re-release
> > MS07-008 if the fix is not in one of the files included in that update?
> >
> > Also, a re-release implies that most customers do have to reinstall the fix.
> > While this isn't a big issue with home PCs, for enterprise customers this
> > can be very expensive.
> >
> > The MSRC blog pointed out that tomorrow, the KB935448 will be released on WU
> > & AU & WSUS, targetting those systems known to be affected, but not
> > necessarily deploying the update to millions of machines that don't need the
> > fix.
> >
> > "pen" <> wrote in message
> > news:A1C4DEE2-88DB-4E85-BEE1-...
> > > More precisely, why isn't the security patch referred to by KB935448
> > > treated
> > > as a re-release of the XP SP2 security patch referred to by MS07-008?
> > > Sure,
> > > it fixes no new vulnerabilities; if you've already installed MS07-008 and
> > > are
> > > having no problems with it (such as installing the XP SP2 patch referred
> > > to
> > > by MS07-017), then there is no security concern to address by installing
> > > the
> > > new patch (the patch currently available from KB935448).
> > >
> > > If you have installed the security patch referred to by MS07-017, and now
> > > have a "The system DLL user32.dll was relocated in memory." message, you
> > > should read the 935448 knowledge base article. The 935448 package replaces
> > > hhctrl.ocx.
> > >
> > > As I read this, it looks like XP SP2 users who have installed MS07-008 and
> > > MS07-017 and have one or more of a list of products installed, find they
> > > should replace hhctrl.ocx with a patch referred to by 935448.
> > >
> > > This seems a lot like a re-release of MS07-008. We've seen that before;
> > > we've seen patches re-released even though there is no security benefit to
> > > the new patch.
> > >
> > > What is different this time?
> > >
> >
> >

"Raolin" <> schrieb:

> I'm having problems with this, I know just enough to get around a computer
> and the patch has stopped my computers realtek sound from working properly. I
> found the patch that is mentioned here and downloaded it and nothing changed.

Have you tried downloading and installing the latest version of the
driver and software for your Realtek Soundcard?

http://www.realtek.com.tw/downloads/...Audio%20Codecs

Bye,
Freudi

I have indeed and it still is kaput

"Ottmar Freudenberger" wrote:

> "Raolin" <> schrieb:
>
> > I'm having problems with this, I know just enough to get around a computer
> > and the patch has stopped my computers realtek sound from working properly. I
> > found the patch that is mentioned here and downloaded it and nothing changed.
>
> Have you tried downloading and installing the latest version of the
> driver and software for your Realtek Soundcard?
>
> http://www.realtek.com.tw/downloads/...Audio%20Codecs
>
> Bye,
> Freudi
>
>