I'm using Ida with BinDiff to examine MS security patches. I'm starting my education with old Win2000 patches. My Windows 2000 has sp4 and I believe is completely patched. If I want to start diffing a patch that was distributed for 2000w/sp4 but was much older (from a patch perspective) then my current vm - how can I ensure that the targeted dll is at a valid state for the "before" version? For example - I download a patch, install it, copy the targeted dll as the "after" version. Then uninstall the patch and copy the dll for the "before" version. But how do I know that my "before" version is truly the state of what the dll would have been just prior to when MS released that patch? And not some "dirty" older state. Otherwise the diff will show much more stuff that wasn't part of the patch. I believe there is dll version information within the patch itself and I know about the information provided by the MS bulletins (specifically the "Bulletins Replaced by this Update" column. But I'm guessing at this point and need some expertise.

You got it right and that's all you need. The "Bulletins Replaced by this Update" column tells you what was the previous patch for the related binaries.

Aside from that you can extract patches with the /x switch (XP and prior) or Cabextract utility (in system32) for MSU patches (extract MSU and then extract one of the two CABs).

Cool. Thanks, Neitsa!