* Microsoft now publishes information on hotfixes on their web site. See their security web page. (Unfortunately, their web site doesn't seem to work well with Netscape's browser.)
Microsoft does not announce existence of hotfixes for denial of service bugs, outside of their web pages, and many administrators and users do not read security related newsgroups, email lists, or security advisories by agencies such as CERT, CIAC, etc.
* Note: Microsoft now has a security announcement email list you can subscribe to. See their security web page.