I hope the unpatched server's not open to the internet right now. If it is you are probably already infected with the nimda virus. It often takes less than an hour of unprotected exposure to get it. Which really sucks. One time I set up IIS and forget to close port 80 on the router and within 15 minutes the damn thing was infected with nimda. It was easier to reformat and set up the server from scratch than it would have been to remove the stupid virus.
Download this free tool from Microsoft to help figure out which patches you need. It checks Windows 2000 (and XP or NT), Internet Explorer (5, 5.5, or 6), and IIS (4 or 5) to see if the necessary patches and hotfixes have been successfully applied, and if not, gives a MS Knowledge Base article number to refer to. Run it as hfnetchk -v from a command prompt. It's a very useful tool. Unfortunately there's no "Windows Update" kind of thing for IIS.
And disconnect that server from the internet until it is all patched up!!!!!