MS07-013 and Windows 2003 sp2

We have a Windows 2003 64 Bit Edition with Service Pack 2 installed. Our vulnerability scanner is reporting that this server is vulnerable to MS07-013 because %windir%\system32\riched20.dll version is version According to the security bulletin this should be version Neither Microsoft Update or MBSA detect a patch needed on this system.

Is MS07-013 included in Windows 2003 sp2? Is the system still vulnerable? Who knows!

It is not included in the list of updates included in Windows 2003 SP2

If %windir%\system32\riched20.dll version is considered “patched” in Windows 2003 sp2 than we need the security bulletin updated. If it is not patched then I need a patch released.

I’ve sent a note to my Microsoft TAM. We’ll see what happens.

I notice that a mailing list at reports four other curious patches. Those patches all have correct file versions on my server.
update – I heard back from my TAM. He provided this link which indicates MS07-013 is included in Windows 2003 sp2. While it doesn’t specify the version number to expect, it does say it will be earlier than if you applied the patch to a sp1 server.