I work in an environment where access to the internet is not allowed, but we are required to have the latest Microsoft Updates.
As of this year, we started the process of migrating from Windows XP Pro to Windows 7 Enterprise.

We used MBSA 2.2 to generate a report of all the updates/patches the system is missing.  We then burn a copy of the report to a CD/DVD.
We then us a computer with internet access that has a script that pulls all the "DownloadURL" tags from the report, and downloaded all the updates/patches.
These updates where then burn to a CD/DVD, and taken to the system that needed them, and manually installed.

The 'cool' part of the script is that it downloads all the patches on it's own. So if a system needs 70 updates, it's not an issue. Just start the process and walk away.

As we started to migrate to Windows 7, we noticed that the CAB files being downloaded were crypted (for the lack of a better word), compare to those for Windows XP.

Below I have an example:

<UpdateData ID="MS12-020" GUID="c80c765b-fa42-42b4-968a-4a9a64abbd5e" BulletinID="MS12-020" KBID="2621440" Type="1" IsInstalled="false" Severity="4" RestartRequired="false" WUSApproved="true">
<Title>Security Update for Windows Server 2008 R2 x64 Edition (KB2621440)</Title>
<References>
<BulletinURL>http://www.microsoft.com/technet/security/bulletin/MS12-020.mspx</BulletinURL>
<InformationURL>http://go.microsoft.com/fwlink/?LinkId=232664</InformationURL>
<DownloadURL>http://download.windowsupdate.com/msdownload/update/software/secu/2012/02/windows6.1-kb2621440-x64_c38a7ca505cd266b6d1fcb25fea4b2a421096f54.cab</DownloadURL>
</References>
</UpdateData>

As I expand the CAB file from the 'DownloadURL' tab, I get following content

* FOLDERS
* MANIFEST --- XML File
* MUM --- XML File
* SECURITY CATALOG

There are references to AMD and Intel, but nothing concrete, what to actually install.

When I use the 'BulletinURL' or the 'InformationURL', it takes me to page with all the details, and then shows me a table where I can download the update I need per system type.

It lets me download a 'MSU' file like
http: / / download.microsoft.com/download/A/B/A/ABAE7556-3AEB-4797-B910-9B6382E72FD5/Windows6.0-KB2621440-x64.msu

The issue now is that the download process is all manual, because we have to choose which patch to download, per the system type. Unlike XP, it downloads the actual update it needs, so it can easily be downloaded automatically and installed.

Questions:
How can we decipher what to install from the 'DownloadURL' CAB file, without manually looking into the 'BulletinURL' to download the MSU file?
Does MBSA 2.3 address this issue?

BTW: We experimented having a WSUS system, but at the end, this was NOT allowed.

BTW: We experimented having a WSUS system, but at the end, this was NOT allowed.

I'd be interested in hearing more about this, because a Disconnected WSUS server works almost identically to the procedure you just described above.. except it does it a heck of a lot easier, and much of it is automated.

Also.... since MBSA only covers a portion of the updates you may be missing, WSUS will give you a much more thorough picture of needed updates.

Does MBSA 2.3 address this issue?

Not likely. The issue is not the tool, it's the process by which you're attempting to acquire the updates. The updates are going to be exactly the same whether you identify them via MBSA 2.3, MBSA 2.2, or read the file version lists in the KB article and inspect the computers' filesystems manually.

The updating methodology for Windows Vista and newer systems is radically different than it is for Windows XP, Windows Server 2003, and older systems. The processes you've had in place to do this manually for WinXP/2003 are likely going to have to be radically rearchitected.

It's been one of our biggest headaches.  I've spent hours expanding various Windows 7 CAB files, trying to cipher through them and no luck.

FYI:  There is another issue we found that is noticabey with Windows XP Pro SP3.  When manually installing DOT NET Framework updates, MBSA security scan continues to state the update is not installed. We then ran test in a lab (with either LAN or internet connection), and saw the same issue.  Once we pointed the system to a WSUS server or to Microsoft Update server, the sercurity scan stated it was installed.

To be honest, I haven't spent much time on this subject, since Windows 7 Enterprise Edition and Windows 2008 Server migration and updates have consume me.

Once we pointed the system to a WSUS server or to Microsoft Update server, the sercurity scan stated it was installed.