Based on the reported findings, Qualys appears to be investigating only the registry entry for the HealthService.dll version (%ProgramFiles%\System Center Operations Manager 2007\HealthService.dll Version is 6.1.7221.81) to determine the necessity of MS13-003 needing to be applied.
IMPORTANT: Application of MS13-003 does NOT update the HealthService.dll version in the registry key therefore, Q90855 continues to report even after the patch has been applied.
I contend that the vulnerability testing logic and/or methodology is flawed – OR – at the very least, the vulnerability type (Confirmed vs. Potential) reported is flawed.
This patch is to remediate vulnerabilities in the SCOM Web Console. The majority of the servers, in my environment, reporting Q90855 have only the SCOM agent installed and NOT the web console.
There is no way, in an environment our size [an enterprise sized company running SCOM] can feasibility process false positive evidence for every server that is running the SCOM agent and reporting Q90855.