The most 'impressive' denial of service going on here is the social one. Get a lot of folk out there that are manually trying to get patched, all together and it's going to cause a hell of a spike on whatever machines service the update. This is aided slightly by some good meeja stories.
Removing the DNS for windowsupdate.com is one thing but windowsupdate.microsoft.com looks a lot like toast right now. That could be because there are variants of the worm, I suppose, but I'd wager it's the monkeys at keyboards.
Imagine if they didn't have the best part of a month to patch and a week to prepare for the ddos. How about an hour or so to code for a new exploit and 15 minutes for it to propagate? Patching isn't going to save anyone if that sort of thing ever because commonplace.