ESM Patch Checks on Win 2003

I have enabled checks for security patches on Windows based server. I have a few servers reporting as missing patches. I need to understand what is it that Symantec looks for while determining that a machine is missing an update. Our patching tool did not highlight any missing security updates. Would anyone know if Symantec just does a file version comparison as given on MS site?