Yes - all vulnerabilities exist regardless of whether or not they are exploited.
Disabling RDS doesnt patch the code (remove the vulnerability) - the insecure code is still there, just not active: as soon as RDS is enabled, the (unpatched) vulnerability can be exploited.
There is a significant distinction between vulnerabilities and exploits - vulnerabilities are actual defects (bad code/code design) in the software (Window's RDP/RDS implementation) - exploits are the specific tools/processes that use the vulnerabilities for effect (DoS, privilege escalation, remote access, etc).
The article you cited ambiguously references this distinction - the exploit tool ("the most common version of wannacry") was coded/designed in a way that that was mostly ineffective against XP remotely (locally it was just as effective).
In other (specific) words, XP had the same SMB code vulnerability(ies) as later versions of Windows , but the specific implementation of EternalBlue via the most common WannaCry code was, ironically, buggy and defective relative to XP's SMB implemention, and thus was relatively ineffective (especially when executed remotely).
This might have even been "intentional", since at the time of WannaCry XP's market share was in the single digits and the code may have been optimized for 7/8/10/2008/2012 (covering more than 90% of Windows installs).
Buggy/flawed/defective exploit code is just as common as buggy/flawed/defective vulnerability code and often serves as a limiting factor in the propagation and spread of malware - going back as far as malware has existed, long prior to the existence of networks or the internet. In fact almost every "internet worm" of note was/has been vastly limited in its propagation and damage due to this often un/der-reported "buggy malware" fact.
Malware/exploit authors are just as (if not more so) prone to write/design buggy/flawed/defective code as the original target code authors - and we can be thankful for that.
Just imagine if malware authoring was an industry where highly efficient/effective exploit coding services were up for bidding by corporations, governments, criminal syndicates...oh..wait..never mind.