We have thousands of XP SP3 machines just upgraded to SEP 11 RU7, and this issue is getting pretty serious on our end. Another thread about this, which describes the logs we're seeing, but is 'solved' is here (pertains specifically to RU7):
http://www.symantec.com/connect/forums/sep-client-1107000-reconfiguring-every-2-minutes
We're in the same boat RE: the hotfix. If it's going to need uninstallation later, just to upgrade the original wonky patch, AND it's not recommended unless you actually have the issue, it's not something our security team likes. Rolling back security, and increasing complexity, for something that shouldn't happen anyway is hard to get approved.
We've done some testing and found a few interesting tidbits. Here's some info we have around the crypt32.dll file this involves.
Clean XP SP3 VM -- crypt32.dll version .5512
After patch 2607712 -- crypt32.dll version .6147
After patch 2616676v2 -- crypt32.dll version .6149 dated 9/9/2011 2:12 am, 585k
After HotFix 959658 -- crypt32.dll version .6149 dated 9/9/2011 2:11 am, 586k
crypt32.dll file INSIDE the HotFix 959658 package -- version .5707 dated 11/07/08
We're wondering why the hotifx CHANGED the date modified, and size (and hash) of the crypt32.dll, but not the version number. And why the version number remained the NEWEST one when the crypt32.dll file inside the HotFix package is clearly a rollback to .5707 from three years ago.
Long story short - we are still seeing this issue in our environment, and see no advantage to deploying the HotFix at this moment. And we will not disable the security features this affects, either. We have reached out to Microsoft as well and hope for a much better answer than we've gotten so far.
kirk...