There are known vulnerabilities in Server 2003 that won’t be fixed

An assumption I see bandied about is that if a flaw is found in all versions of Windows Server before the 2K3 EOS date, and a fix is released for Windows Server 2008 and later before the 2K3 EOS date, that a fix will also be released for Windows Server 2003 before the EOS date.

If people had been following the news more closely, they would understand that this is not the case. Security bulletin MS15-005 has the following paragraph:

The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.

https://technet.microsoft.com/en-us/library/security/ms15-005.aspx

Put bluntly, they were unable to fix Windows Server 2003 without it likely becoming incompatible with applications designed to run on the platform. Given that the operating system is close to the end of support date anyway, the best mitigation for this vulnerability, if your organization is still running Server 2003, is to migrate away from the operating system.

Microsoft will still fix what vulnerabilities it can up until that final patch Tuesday. However organizations that are running Windows Server 2003 should be aware that the OS already has publicly disclosed exploitable vulnerabilities that will not be addressed.