We have been diligently going around to tens and hundreds of thousands of servers and workstations applying the patch for MS03-026 to make sure we are not susceptible to MSBlaster and all its derivatives.

Rumor on the street now is that if you apply the MS03-026 patch to a Windows 2000 SP3 system and THEN apply SP4 it will undo the patch and make the system vulnerable to the RPC vulnerability again.

Can anyone confirm or deny this? Is anyone aware of a response from Microsoft on the subject? Can you just re-apply the MS03-026 patch after SP4 or are there other mitigation steps you can take?

Thanks