Applying a security patch is a good idea. Applying one that helps guard against the Sasser worm, as does MS04-011, is an even better idea. However, sometimes even good ideas have bad consequences.

A search through the Microsoft Knowledge Base turned up these problems with the MS04-011 patch. These two items were in the 6/14 and 6/15 BugBlog.

If you install the security update from MS04-011 (the fix for the Sasser worm) on a Windows NT 4.0/2000/XP computer, you may have problems viewing EMF (Enhanced MetaFile) images in Adobe Illustrator. According to Microsoft, the security patch enforces tougher security on metafiles. This tougher security is also present in Windows Server 2003 by default. There are hotfixes available for Windows 2000 and XP, which will be in future service packs for these products. If you use EMF files, and need these fixes right away, contact Microsoft Technical Support and ask for the fix described in Knowledge Base article 840997. Note that you may be charged for this call. If you use the other versions of Windows, you may want to check back at http://support.microsoft.com/?kbid=840997 for updated information.

Microsoft's MS04-011 security patch has some compatibility problems with certain third-party applications on Windows 2000 computers. One application mentioned specifically is the Nortel Networks VPN client, but in general applications that load these drivers — Ipsecw2k.sys, Imcide.sys, or Dlttape.sys --may cause big problems. These may include totally locking up the computer, having CPU usage spike to almost 100 percent, or an inability to log on to Windows. Microsoft has a hotfix to undo the damage done by the MS04-011 fix. It will be in a future service pack, but it you are having these problems you should contact Microsoft Technical Support and ask for the hotfix described in Knowledge Base article 841382. Note that you may be charged for this call.

In addition to these two, a number of other vulnerabilities were discussed in the BugBlog Plus (subscription information here). These include:

Windows 2000 DNS problems

Windows 2000 problems with Services for Unix

Windows XP problems with third-party applications that let you impersonate users

Windows NT compatibility problems with Intellipoint 2

Windows XP problems with NetSchedule API

Windows NT multiprocessor problems

Microsoft IIS compatibility problems

Windows 2000 problems with SMB/CIFS

Problems with 16-bit MS-DOS programs

Problems with Hebrew and Arabic text

Oracle DB compatibility problems

The problems aren't universal; some just affect a small set of users. But if you start having problems with something after installing MS04-011, this may be where you start looking for solutions.

There will be more coverage of Microsoft's security patches, the bugs they fix and the bugs they cause, at the BugBlog