Microsoft has made much of the security advances in their recent products but some people ask why these are not incorporated into their earlier products. Windows Vista, Windows Server 2008 and Windows 7 were all not vulnerable. Why? Because the DirectShow code in XP had largely been replaced with the new Windows Media Foundation, developed using the company s SDL (Security Development Lifecycle), a series of development rules designed to decrease the number of vulnerabilities in code and to limit the impact of those that remain.
Source: https://threatpost.com/when-should-microsoft-backport-security-advances-052909/72747/