I would like to point out, it is reasonably easy to secure a machine on windows XP that is not used for anything but a server with a simple firewall and only allowing a single port in through that firewall.
Allowing you to turn off automatic updates, with the assumption you never use that machine for anything else but a server.