I can add some clarity to this.
When Windows reaches RTM, the ownership of support is handed off from the Windows team to the Windows Sustained Engineering (WinSE) team. Two code branches are opened up for creating QFEs, a Limited Distribution Release (LDR) branch, and a General Distribution Release (GDR) branch.
The GDR branch is used for updates that are going wide to all users, which include security updates and high impact updates. Depending on the severity of the QFE, it might be posted to Windows Update as a security update, or alternatively it would be provided to OEMs to preinstall on shipping systems to resolve a specific issue.
The LDR branch is used for updates that aren't going to be distributed to a wide audience. This might be something like a QFE that fixes a bug that some enterprise customer is seeing, but doesn't have much applicabilty to the majority of Winodws users. Microsoft doesn't want to distribute an update like this wide, because there is a risk that it will cause regressions for other users. Every update in the GDR branch is also put into the LDR branch, because ultimately the user is going to be running a single instance of the binary file, and so it better have all of the security updates included if it is going to also fix issues of lesser importance
When you go to Windows Update and install a QFE, the package that you install usually contains at least two versions of the applicable binaries: One from the LDR branch, and one from the GDR branch. The hotfix installer will look at what is currently on system, and if you have the LDR version of the binary already installed, the hotfix installer will update with the corresponding LDR binary. The effect is that once you install an LDR update, you are now on the LDR branch for that binary for all future updates - that is, until the next service pack release.
The service pack is a release that includes all updates from the LDR and GDR branches rolled up into one major release. Pre-release versions of service packs are provided to enterprises for testing, and to see if any of the updates that were put into the LDR branch break anything. This gives the enterprise and Microsoft time to address the issue and fix it for the final service pack release.
Since not all enterprises participate in full testing of the service pack, there may be things that end up in the final version that can break things. This is why Microsoft will continue to support the pre|prior service pack release with security updates for a time, so that these issues can be resolved. At some future time, the pre|prior service pack becomes no longer supported, which is what TFA is all about.