Yes, you need to have Microsoft's permission, but, as Undies~ suggested, you can generally get the official SPs on computer magazine cover CDs, which have Microsoft's blessing.

Also bear in mind that your customers really need to keep up with all the OS and application patches.

Sasser and MSBLASTER patches were part of SP2..(RPC and DCOM services) I thought many AV's didnt work with Pre SP2 now?
Yes they do................. remember a fair number of outfits are still running Windows 2000 and the AVs install and update on those machines as well. If anything, I would have thought that it was the other way around?

New AV will work with old SP, but old AV may not work with new SP......... something to do with what method the security product uses to hook the kernel?

Incidentally, in another thread I mentioned the "Race to Zero" competition at BlackHat 16. This was where you had to obfuscate old malware and get it past the latest versions of AVs.

One team got all 10 out of 10 and the malware list included "Stoned" (a 20 year old DOS boot sector virus) and Sasser. So, if you were not patched, it would get you

Maybe I should dig out my copy of "stoned".......... trouble is I only have my collection of that era on 5.25"