At
http://weblogs.asp.net/scottgu/archive/2011/12/28/asp-net-security-update-shipping-thursday-dec-29th.aspx, Scott Guthrie discusses the reason for one (or both) of these updates. This is linked to a possible denial of service attack vector that has recently been publicly disclosed. (This attack vector is not exclusive to ASP.NET, so expect similar updates for Apache/PHP and so on).
If you have responsibility for any ASP.NET application you should apply the patch, retest your application, get client sign-off and deploy the patch(s).
Please note the following from Scott's blog "The security update we are releasing on Thursday, December 29th updates
ASP.NET so that attackers can no longer perform these attacks.
The
security update does not require any code or application changes. "