MBSA -vs- WU
Doug Neal posted this informative look into the differences between Windows Update (WU) and Microsoft's Baseline Security Advisor (MBSA):
MBSA does one important thing that WU does not: MBSA will check explicit files to ensure a security bulletin and all of the associated files are patched on a machine. This is far and above the best way to ensure your machine is up-to-date for all security bulletins released by Microsoft. WU detection may result in incorrect patch status after uninstalling a patch, using System Restore on a machine or performing an in-place repair of the OS. Since MBSA checks explicit file versions, no matter what state a machine is in, MBSA will correctly detect whether a patch is sufficiently applied in a way that WU cannot.
Windows Update does one important thing that MBSA does not: WU will scan for all updates, not just security updates (which can include drivers, recommended updates and ‘nice to have’ features offered by Microsoft).
Aside from both of these traits, it’s important to understand one more aspect of MBSA 1.2. Although the current version of MBSA has added support for many OS features and components (such as MSJVM, MSXML and MDAC), there are still patches for which MBSA cannot report the status of a patch (such as Outlook Express, WSH [Windows Scripting Host], and Front Page Server Extensions). When MBSA encounters security bulletin information that the MBSA engine cannot scan for, MBSA will report a NOTE message. When MBSA encounters a security bulletin for a component or feature that is not supported by MBSA, there will be no message (no note, no warning – nothing). In both of these cases, it is an important indication that the administrator will need to check the details of this patch manually. These issues are covered more fully in the associated KB article 306460.
I hope that helps explain some of inner workings of MBSA in a way that helps
--