MS07-013 and Windows 2003 sp2

We have a Windows 2003 64 Bit Edition with Service Pack 2 installed. Our vulnerability scanner is reporting that this server is vulnerable to MS07-013 because %windir%\system32\riched20.dll version is version 5.31.23.1225. According to the security bulletin http://www.microsoft.com/technet/security/Bulletin/MS07-013.mspx this should be version 5.31.23.1226. Neither Microsoft Update or MBSA detect a patch needed on this system.

Is MS07-013 included in Windows 2003 sp2? Is the system still vulnerable? Who knows!

It is not included in the list of updates included in Windows 2003 SP2 http://support.microsoft.com/kb/914962

If %windir%\system32\riched20.dll version 5.31.23.1225 is considered “patched” in Windows 2003 sp2 than we need the security bulletin updated. If it is not patched then I need a patch released.

I’ve sent a note to my Microsoft TAM. We’ll see what happens.

I notice that a mailing list at patchmanagement.org reports four other curious patches. Those patches all have correct file versions on my server.
update – I heard back from my TAM. He provided this link which indicates MS07-013 is included in Windows 2003 sp2. While it doesn’t specify the version number to expect, it does say it will be earlier than if you applied the patch to a sp1 server.