Mike Johnson, a Senior Support Escalation Engineer for WSUS, recently sent me some interesting info on the detection logic in MS08-052 and why it may be a little confusing.  If you noticed that MS08-052 superseded MS08-040, but that MS08-052 is not
detected as "needed" on some of the same SQL installations then Mike explains why:

========

If you've deployed MS08-040 to SQL installations in your environment via WSUS you may have noticed that MS08-052 superseded MS08-040 but that MS08-052 is not detected as "needed" on some of the same SQL installations that have MS08-040 installed.

So what's up with that?  MS08-040 applied to all SQL installations with or without the SQL Reporting Services component.  Although MS08-052 superseded MS08-040, it had more restricted applicability than the update it superseded and is offered only if SQL Server Reporting Services is installed on SQL.

This is the design and not an oversight or mistake so as long as you follow the standard WSUS operations guidance on handling superseded updates like this you'll be fine.  For this scenario, you need to make sure to approve both MS08-040 and MS08-052
since only approving MS08-052 as the most cumulative of the SQL security updates would leave all SQL machines vulnerable unless SQL Server Reporting Services is installed.

========

Thanks Mike!

J.C. Hornbeck | Manageability Knowledge Engineer