One is rated "critical" for versions of the Windows operating system except Windows 7 and Windows 2008 R2, for which the rating is "important".
This demonstrates the consistently better showing of Microsoft's newer operating systems, said Wolfgang Kandek, chief technology officer at security firm Qualys.
The second patch will be for Office, where all versions are affected and it is rated "important".
But it is rated "critical" for Visual Basic for Applications and its software developers kit, said Kandek.
Microsoft has notified customers the May security update will not include a fix for the vulnerabilities found in Sharepoint 2007 as they are still working on an update.
"It seems likely that we can instead expect an out-of-band patch this month for Sharepoint given the critical nature of the cross-site scripting vulnerability, said Alan Bentley, vice-president international at security firm Lumension.
This vulnerability threatens sensitive corporate information housed on the enterprise content management system, he said.
Microsoft is recommending applying workarounds until a fix is released to restrict access to the Help functionality in Sharepoint.
This article was first published by Computer Weekly