Below is a nice detailed note from Doug Neal of partner Microsoft (we created mssecure.xml with them and MBSA 1.2.1 for them) as he posted on patchmanagement.org . I wanted to also note that our latest MBSA compatable tool does provide one solution for all Microsoft patches - and there is a fully free scanner version along with other free versions of our software as I posted a note a while ago on.
(thanks to Doug)
You may want to read the MSRC bulletin for MS06-055 (http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx). Although the MBSA team always provides a public announcement on the Microsoft.public.security.baseline_analyzer newsgroup, the MSRC bulletin will always be the authoritative source for all issues regarding a security update.
There is table within every MSRC security bulletin that identify the level of MBSA 1.2.1 and MBSA 2.0 support. From the table, you can see that MS06-055 is not supported by MBSA 1.2.1 (which is based on the MSSecure.XML file). MS06-055 is fully supported by MBSA 2.0 (which uses Microsoft Update and the WSUSSCAN.CAB file).
Any month MBSA 1.2.1 cannot provide support (usually due to technical limitations in the dated scan engine used by MBSA 1.2.1), Microsoft will provide a monthly edition of the standalone Enterprise Scan Tool (EST). All of the links describing MBSA 1.2.1 support and the EST tool (when needed) can be found in the security bulletin.
Customers who are using the MSSecure.XML file outside of the three Microsoft-supported products (SMS 2.0 SUIT, MOM and MBSA 1.2.1) are not only using the catalog file in an unsupported manner, but are potentially at risk since the MSSecure.XML file will never contain data for bulletins it cannot support (see KB 306460 and KB 895660) which makes it less than authoritative for patch detection outside of the supported Microsoft tools.
The MSSecure.XML file will not include Office products (since an integrated version of the ODT tool is used instead). MSSecure.XML will also not include bulletins that do not have MBSA 1.2.1 support (like Outlook Express, Windows Media Player 10/11, Internet Explorer 7.0, .Net Framework 1.0/1.1/2.0, Jscript, Microsoft's addition of Adobe Macromedia Flash in Windows, FrontPage Server Extensions, MDAC and a number of other components). MSSecure.XML will also not include detection and support for 64-bit platforms or Vista.
Additionally, the standalone MBSA 1.2.1 tool will be decommissioned in the coming months in favor of MBSA 2.0 (already released) and an additional tool (yet to be named) that will remove the need for MBSA 1.2.1 detection by filling in the 'gap' of detection for products that are not supported in MBSA 2.0 (which is based on Microsoft Update and WSUS technologies). See the MBSA home page at www.microsoft.com/mbsa for details as they become available.
Please feel free to post to the MBSA newsgroup (Microsoft.public.security.baseline_analyzer) if you have any questions regarding MBSA that Microsoft can answer since we may not always see them on this mailing list.
doug neal
Microsoft Baseline Security Analyzer (MBSA)
MBSA 1.2, 2.0, EST, CSA and MSSECURE.XML scan tools
