I'm running an external PCI scan (not authenticated) against a Windows 2008 R2 Server.
The system is flagged as vulnerable to "TCPSequence Number Approximation Based Denial of Service"(CVE-2004-0230). The Microsoft bulletins related to this are MS05-019 and MS06-064. Neither of these applies to Server 2008 R2. It looks like the problem was fixed in Server2003 R2.
I'm sure I'm not the first person to run into this, but I don't see any discussions about it.