Hi nicksberger, Catherine,
We have updated Fixlets for MS17-004 to address the above mentioned issue; they are published to site Patches for Windows, version 2684. Also we have enhanced our internal framework to include similar logic in future Security-only Fixlets released.
Please allow me to update with a few more details. While we perform our internal testing, we don’t see the behavior mentioned above - i.e. the original security-only Fixlets evaluates false after monthly rollups are installed. I believe nicksberger you have also observed similar issues for Dec patches: Issues with new Msft patching process - BigFix relevance issues In addition, for customers who have Security-only Fixlet still applicable after monthly rollup, they are actually still able to install the patch (although it might seem unnecessary).
Since this issue is re-occuring for Jan 2017 Security-only patches, and the fact that MBSA is not reporting it makes BigFix detection result a mismatch. I believe it would be better to keep that logic in place regardless of whether we can observe the behavior in our test bed, while these Fixlets still pass all our internal testings.