Beware that as OpenSSL itself warns, the SSLv2 server can be one "even with a different protocol such as SMTP, IMAP or POP", as long as it shares the RSA key with the TLS one.
Thereby if someone used the same cert to protect both an HTTP server and a mail server (or whatever else) connections with the same cert, all servers needs to be patched/configured to not use SSLv2, even under a downgrade attack.
"Servers" in this context is "server applications (daemon/services)" not instance, physical or virtual, of a server OS.
And because it is a protocol flaw, not an OpenSSL one, servers that doesn't use OpenSSL but another implementation of SSL, could be a vulnerability issue as well, if not properly configured.
Biting the hand that feeds IT
