Re: "critical" updates
I've just taken half a dozen test systems out of cold storage (er, ghosts) and run them all through Windows Update. I note that the same patches are sometimes considered critical and sometimes merely recommended, apparently depending on the target OS. I also note that although IE9 is part of the "critical" list, it is not selected for installation by default, unlike nearly every other critical patch. (Patches for VS2005 and VS2010 runtime libraries are similarly critical-in-name-only.)
I haven't found a case where a "recommended" patch is ticked by default. Even so, I think someone at MS needs to look up "critical" in the dictionary. What's the point of ticking the "automatically install all critical updates" box if you have to manually check the blasted thing afterwards?