The HI policy for the SP level is pretty self-explanatory, just hit the "Help" button for a bit more detail (as below)
"If you have one service pack that applies to multiple versions, you can specify them all in one requirement. You can use the Select All icon and the Clear All icon to make it easier to work with the list.
This requirement checks the registry and or uses Windows APIs to see if the specified service pack is installed."
As it states, it might just be looking at the same reg key anyway.
As it goes, if you are concerned about the reg key in question being manipulated by your users, then its possible to prevent access to the hive using an Application and Device Control Policy.
Finally, something else to consider is creating and using a custom HI policy and (again) looking for the same reg key. Then you can assign custom actions in the event a client fails the check too.