No. Microsoft's Extended Security Updates (ESU) include Critical and Important security patches for Windows Server 2012 and Windows Server 2008 R2 according to their definition in Microsoft's Security Update Severity Rating System.
Our criteria for micropatching a vulnerability are specified here and are not identical to Microsoft's; while we expect ours and Microsoft's criteria to mostly overlap when it comes to high-risk vulnerabilities, it may happen that we decide not to micropatch some vulnerabilities Microsoft includes in ESU, but also that we do micropatch issues on Windows Server 2012 or Windows Server 2008 R2 that aren't included in ESU.
Furthermore, it may happen that for whatever technical or other reason, we are unable to port a security fix to Windows Server 2012 or Windows Server 2008 R2 as a micropatch (e.g., we may not be able to obtain a proof-of-concept for triggering the vulnerability while the vulnerability is already getting exploited in the wild, or the vulnerability may be in code that can't be micropatched). If that happens for a highly critical vulnerability, we'll provide recommendations for users to mitigate such vulnerability on their computers in some other way.
On the other hand, with 0patch you also get our "0day" patches for vulnerabilities that haven't been fixed by Microsoft yet. Some recent cases are Follina, DogWalk and ZippyReads, where our patches were available (and applied on users' computers) weeks before Microsoft has provided their official fixes.
4 Comments