The recent release of security fixes for SQL Server 2000 and 2005 (the issue did not impact SQL Server 2008) announced in MS09-004 seemed to spur two SQL Server 2005 cumulative updates (CUs) earlier this week — one for those on SP2, and one for those on SP3. (This typically happens when there is a new service pack released, as adoption rates are not always very fast, and the previous service pack is usually supported for some time.)
But as colleagues noted, the KB articles for the two releases may lead you to believe that there are fixes in CU12 that are not in CU2, and vice versa. And in fact this is true. So a few people have been wondering if they should upgrade to SP3 + CU2, or if doing so will leave them vulnerable to a fix that is only in SP2 + CU12 (or vice versa – a vintage Clash hit comes to mind). In case you were wondering which fixes you have depending on which "branch" you are on, here is the list I took from the two KB articles:
|SP2 CU # 12
|SP3 CU # 2
(FWIW, I tried to highlight the three rows where the fix is included in both CUs, but Community Server is having none of it. The software either butchers whatever attributes I try to add, or strips them entirely. Hopefully bold is enough, but if not, they are KB #s 961479, 961648, and 962209.)
A contact at Microsoft explained that a specific customer hotfix request for one version (e.g. SP2) may not get ported immediately to another service pack (or another version). The initial goal is to provide the fix for that customer's version, unless requests come in for more than one version. After that, the fix will make it into other relevant branches as time allows (in most cases they try to accomplish this by the next CU if they can't get in by the current cycle's deadline). This process makes sense, of course, I just don't think it's very visible. A lot of people assume that hotfixes that come out at the same time will contain the same set of fixes. That assumption makes sense too, and while it is surely the goal, it just can't always happen.
He also promised an authoritative list of fixes for the two CUs, and if it differs from the above, I will post an update here.