If you don't have an automated software distribution mechanism (SMS,
Tivoli, Radia, or sometihng like those products) for your XP machines
you might consider creating a kit of all the applicable post-SPx patches
(for whatever value of -x- your organization is currently stndardized
on), and applying the complete kit to every machine.
This mechanism will result in redundant re-installations of some
hotfixes, but it will give you some confidence that all of the hotfixes
have been applied to every machine.
If your organization does not already have such a policy, talk to your
management about establishing a *corporate* policy about keeping all
computers up to a "reasonable" level of security, with explicit
statement that noncompliance with the policy may result in adverse
action against the offender. The definition of "reasonable" will depend
on the details of the organization, but the days of
everybody-trusts-everybody is no longer a viable alternative. If your
management has any sense you'll be seen as being a Valuable Employee
(tm) who is being PROACTIVE (good buzzword for your annual review) about
security.
Also, in a business environment, by using a centrally-distributed update
kit and not using Windows Update, you have an opportunity to test the
new hotfixes against your organization's corporate applications, and you
don't risk having Microsoft re-issue a slightly tweaked version of a
hotfix without bothering to announce the change.
<soapbox>
If your organization has any pretense of having network security, get
rid of your Win98 machines. The DOS-based versions of Windows (95, 98,
98SE, ME) have a security model best described as "a block of Swiss
cheese".
</soapbox>
Joe Morris