Re: ISV guy:
Yes, you're correct: most MS fixes involve fresh builds of their top-of-tree code
for the affected component, not a small patch applied to a release branch.
I'm not really sure what else they could do; they'd be maintaining thousands of release
branches by now if they didn't do that, and every patch would then have to come in
a thousand different versions (or a million if it included fixes to *two* dlls instead
of just one, a billion for three dlls, etc....!)
Hang on, this can't be right. Can't M$ just maintain a single development line for any given OS and simply add *patches* to it? You know, like Debian does. Can you imagine Debian updating OpenSSL in Stable on every box as a security update if it also meant a major revision that broke binary compatibility? Argh! No, it wouldn't happen - they wouldn't make every new component work with a small update just so you could have the latest version of the package being updated. They will just make the small change necessary to fix the problem in the current version and leave everything else well alone (production quality software, y'see). They are literally giving you binaries that incorporate the few small changes needed to affect the security improvement in whatever is being fixed. Hell, even in source-based OSs like the BSDs, you have code branches to which you build your system against, with the understanding that you won't get screwed by feature/functionality/interface improvements. This isn't so with Gentoo, though (well, not yet, anyhow).