If Windows XP SP2 firewall service is set to manual or disabled when Windows XP SP3 is applied, the Windows Firewall/Internet Connection Sharing (ICS) service and Security Cetner service will be changed to automatic startup. This behavior is by design, for the purpose of increasing the security of Windows XP.
Windows XP firewall service is enabled after installing XP SP3 – even if it was previously disabled
This setting will remain in effect for computers that had the service startup manually altered.
According to the Microsoft Enterprise Networking Team:
If the service is administratively disabled via domain Group Policy, it will again be disabled after subsequent application of Group Policy. The automatic service startup should only be seen on the first reboot after applying Service Pack 3. To cause GPO settings to be updated immediately on a client, run gpupdate /force from a command prompt.