Q2596843 (Microsoft Office Compatibility Pack ... Vulnerability in Microsoft PowerPoint Could Allow Remote Execution) and Q2596912 (PowerPoint Viewer 2007 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution) are detected as missing when SP3 is not installed when scan from Shavlik NetChk 7.6 and 7.8 with XML 18.104.22.1684.
You cannot blindly trust Microsoft Update. Especially for Office, it tends to find missing patches when they are not really needed. Microsoft seems to have a philosophy that they patch Office components that are not installed just so that if the user later installs them they will be patched. I prefer the Shavlik (VMWare) philosophy of "if it ain't broke, don't fix it" because sometimes fixes break more things.
Q2596651 and Q2596789 are non-security fixes. Security fixes come out in the XML file first. The non-security fixes come out later. I am hoping that those two patches will be included in the XML file before our scheduled deployment this weekend. See also my post about a few other non-security patches that are not in the XML file yet, http://community.shavlik.com/answers/viewQuestion.apexp?id=906C0000000TUJyIAO.
XML data version = 22.214.171.1242 Last modified on 12/15/2011
- Modified MS11-094: ... Compatibility Pack 2007 (SP3) as affected products.
Looks like MU and the folks at VMWare know something about the applicability for Microsoft Office Compatibility Pack SP3 that is not in the bulletin.
FYI, XML 1242 takes care of Q2596834 when SP3 is installed, but not Q2596912 which is also part of MS11-094. However, as mentioned, MS11-094 says it isn't needed if SP3 is installed. It is still just a matter of Microsoft Update offering "extra precaution".