the register has a humourous article about how "improved" Windows 2003 SP1 is compared to, say, any other version of windows. the best quote is here:
At one time, this was so common it was almost funny: people installed Windows and before they could download all the latest security updates, they were already infected by a host of worms that had them actively attacking other Internet hosts. In some cases, even being behind a firewall wasn't sufficient enough protection.
That just might now be a problem of the past. SP1-integrated Windows installations will now allow you to block all inbound network connections until you finish installing the latest security updates and configure the automatic updates feature.
problem is that it is still only an option, and not a default?
You can reply to me about this on Twitter: Tweet to @liquidx