Bryan Owen of OSIsoft, a Portaledge participant, shared some more information on the Microsoft Server Core patching situation. Remember Server Core is the minimal installation of Server 2008 so it has a small attack surface, no GUI and hopefully much less patching is required. A few points:

• Auto update is turned off by default which makes sense for a mission critical server.
• When you turn auto update on for a core Server core - - that is no roles, such as DNS, applied - - four patches are applied. Our estimate, based on analysis in the early months and Microsoft documentation when available in later months, was that 7 of the 27 bulletins apply. This number obviously varies based on role.
• We were shocked that 08-024 was auto-applied to core Server Core. It is a patch for Internet Explorer, but evidently one of the DLL’s is in core Server Core.