In case this hits anyone…..
MS12-017: Vulnerability in DNS Server could allow denial of service: March 13, 2012:
After you install this security update, the DNS Server service may not start, or you may receive an access violation error message shortly after the service starts, or after the operating system starts.
This issue may occur if DNS is configured to have a CNAME and a SOA record that both exist for the “@” record. The “@” record identifies the root of a DNS zone. This can frequently be identified in the DNS Manager as a record with the “(same as parent folder)” name. The SOA and NS records are allowed in this folder. RFC 2181 describes name uniqueness checks for CNAME records. According to RFC 2181, the CNAME may not exist in the “same as parent folder” (“@”) of a zone.
To avoid this issue, identify and remove the “@” CNAME record that is causing the issue from the misconfigured zone before you install security update 2647170