As I understand the bulletin, Microsoft will not be releasing MS09-048 patches
for XP because, by default, it runs no listening services or the windows
firewall can protect it.
Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing
an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP
Professional x64 Edition Service Pack 2 do not have a listening service configured
in the client firewall and are therefore not affected by this vulnerability. Windows
XP Service Pack 2 and later operating systems include a stateful host firewall that
provides protection for computers against incoming traffic from the Internet or from
neighboring network devices on a private network. ... Customers running Windows XP
are at reduced risk, and Microsoft recommends they use the firewall included with
the operating system, or a network firewall, to block access to the affected ports
and limit the attack surface from untrusted networks."
-eg