For one, the Apple update packages in and of themselves, including security update packages, have a version number, and it has actually happened for the initially available update (with version 1.0) to be faulty and replaced by a 1.1 version, e.g. Snow Leopard Security Update 2012-001, version 1.1.Second, as far as I have heard this update won't be proposed if Java is not installed, hence the standalone Flashback removal tool that Apple provides as well (which is useful to remove Flashback variants which use some other mechanism than Java to penetrate).I haven't followed closely, but there was a first security update which closed the Java vulnerability - before the Flashback situation exploded in the press, in fact. Then Apple later added further safeties such as this setting to disable (by default) Java integration in the browser systemwide.The More You Know, etc.