Yes, this is really the case! Thanks a lot to everybody who took part in solving the problem!
I was downloading the updates on an old Win2K OS. When I imported a microsoft root certificate from another machine, sigcheck started to report that everything is fine.
Remarkably, only very few hotfixes have signatures which are based on this missing certificate.
Isn't it reasonable for WOU to handle such "Invalid Chain" results in a more delicate way than just removing the file? For example, to issue a warning dialogue advising the user to re-check root certificates in the system...
To my opinion, any indication of possible loss of updates should be manifested as loud as possible, in order to let a user be aware of it without examining the log. Maybe, a separate logfile can be made to store only errors and warnings, which could be displayed by default (if not empty) after the download process and/or before image creation...