jvl45

Background I just started in the new position of IT Security at a company. I immediately started vulnerability scans. One of the scans are monthly scans for compliance to Microsoft patches (using Nessus). The scans results indicate what patches have not been installed. Several groups inside of the company have been scanned and have caught up with their patching - using MS WSUS. One team, which has fallen substantially behind in their patching of their Windows XP Professional PC's, has told me they are only installing recent patches since the ones they are installing supersede those patches that came out in 03, 04, 05,06,07 and some of 08. They have fears that installation of older patches will nullify more recent patches. My thoughts/questions are: 1. They couldn't tell me what patches superseded each other so I could adjust my scan accordingly. I believe they never patched from the beginning and only started patching in July of 08 - starting with current patches only. Without a "supersede" list in hand, I believe there are still vulnerabilities that could be exploited. 2. I believe, but would like someone to confirm, that WSUS would take care of the proper versioning of patches. Installing an older patch, after an more recent patch was installed first, would not nullify the newer patch. 3. Does MS keep a master list of what what patches supersede each other?