Why does PMImport not include fixes to security issues documented in Microsoft Security Advisories?
Patch Management is designed primarily to deploy security update files that are associated with Microsoft Security Bulletins, though it is periodically used to deploy Microsoft KB updates that are security related. In regards to Microsoft Security Advisories, if and when these become a Security Bulletin they are always added into PMImport and deployed by Patch Management.
Microsoft issues Security Advisories are a means of sharing information that has been reported and they are either still looking into or they’ve identified a workaround that is not resolved through a file update.
Additionally, the process of adding an Microsoft Advisory in 6.x, 7.0 and 7.1 is to create an enhancement request that the Patch Product Manager will review and approve to include in the next PMImport. The reason an Advisory is not automatically added it that sometimes Microsoft requires the customer to login/register to get access to the download files or the MS Advisory is a change in a registry key or setting. Because of these factors MS Advisories are not automatically added to PMImport.
Currently the process for creating an enhancement request can be found in the following articles: