Just because I spent a few hours researching this, I though I'd share to save other people the trouble.
Apparently Windows 2008 R2 (with no service pack) is going out of support in a few months. My SME is telling me that MS will not be releasing seecurity patches for this product from this time. This is a bit of an issue for my customers as we have several hundred of these servers.
The fix is to apply SP1 or SP2. Should be simple with BSA
We use BSA, and the we 'approve' patches every month by adding a approve property and then only including this smartgroup is the list for the patch analysis (hence we are not doing the 'group' and dont select 'exclude service packs').
My first challenge was that when I search for the Patch in the catalogue its difficult to find. KB976932 is not in the catalogue.With a bit of searching (and doing the 'group/dont select' it seems that this service patch is a special beast in the catalogue.
I found it using a Patch Catalog search using DEPOT OBJECT, where NAME contains SP1-en. This returned 4 patches, WINDOWS SERVER 2008 R2 DATACETNRE(X64) SP1-en ( and the 3 other varients). The object has NO Q or bullitin number in the BSA entry , hence why normal search did not work. Also if you search for SP1, you will find hundreds of patches. it is also of severity 'unknown'
So I've finally found the service pack Patch!!!
Next steps is to test it on a target and see how I'm going to apply it, or at least upload it so the local server admin can do this?
Has anyone done a mass-rollout of something like this?