Sep 2009 security bulletin’s major concerns was about MS09-048; now updated to call out Windows XP, as its not affected by any Denial-of-Service, Remote Code Execution vulnerabilities. Because, XP SP2 / SP3, and XP Pro x64 Edition SP2 don’t have a listening service configured in client firewall and therefore not affected. Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a DoS attack’s that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system’ll recover once the flood ceases. XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use built-in firewall, or a network firewall, to block access to affected ports and limit the attack surface from untrusted networks. Windows 2000 scenario is very similar to XP in that an attack requires a sustained flood of specially crafted TCP packets and the system’ll recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.
Source:→ MSRC blog