Microsoft’s security team has published information related to security fixes that aren’t referenced with CVEs. These types of changes represent special code that go beyond fixing specific routines within the patched product family. As bi-directional Firewalls or code management systems can often determine ususal activity, Microsoft explains these special situations as noted below.
How Microsoft Does Undocumented Security Patches
QUOTE: I came to realize that Microsoft never in their security bulletins identified patched vulnerabilities as internally discovered. I pressed them on it and they were somewhat elliptical in their response, but offline others pointed out that obviously Microsoft was patching other vulnerabilities silently.
Additional Fixes in Microsoft Security Bulletins
QUOTE: From time to time we receive questions regarding fixes not documented in security bulletins. Some call these “silent fixes.” We hope this blog post answers those questions and helps clarify Microsoft’s process in fixing and documenting all vulnerabilities and addressing internally discovered variants. Much of the security community is aware that Microsoft security updates sometimes contain additional code fixes to address issues beyond the originally reported vulnerability. This process that ensures a comprehensive update was first publicly documented in a Microsoft TechNet magazine article from June 2006.
Example from 2006