Microsoft updates regularly contain fixes for security vulnerabilities which are not listed in its security bulletins. Microsoft defends these ‘silent updates’, as they are known within the security community, in a blog posting by its Security Research & Defense team.
When a security bug is fixed, the security team not only checks adjacent code for further vulnerabilities, it also looks for similar bugs elsewhere. It also occasionally lets fuzzers loose on the program in question. Microsoft designates such finds as ‘variants’, and they are defused with a minimum of fuss. They do, however, affect the classification given in bulletins. It can easily be the case that Microsoft increases the exploitability index of a bulletin due to a non-publicly disclosed variant.