Originally posted here by Soda_Popinsky
http://en.wikipedia.org/wiki/Security_through_obscurity

Just because linux is "indie" doesn't make secure, you still have to update it like everyone else. This discussion would still apply regardless of the OS.

Back on track...
Get your patches from the official source, in your case the windows update site. You can't get it a more trustworthy way unless they mail you an update CD.
Hey Hey,

I'm sick of the 'install Linux' **** just like everyone else... and I definately agree that you should deal with a valid source and a trustworthy one such as Windows Update... but being mailed a CD isn't really any better than email... the CD could come from anywhere.... and just be made up to look realistic... Actually it's not a bad idea for a scam... and it's one I'm surprised we haven't seen yet.

As far as updates go.... It depends on what you're dealing with... If you have a bunch of large mission critical servers, you're going to want to test some of the more major patches in R&D before installing them in production.... the same goes for the service pack... it's also true that it's not a bad idea to hold off on the service packs for a little while.... they tend to be flaky for a while.. but then updates are released for them and it's nice to have it all installed and stable at the same time.

That's my two cents anyways.

Peace,
HT