Yes, another Windows XP update. Yes, in 2019.
Remote Code Execution (RCE) vulnerability CVE-2019-0708 exists in the Remote Desktop Protocol (RDP). Exploiting this vulnerability would allow an unauthenticated attacker to run arbitrary code on an affected system. This type of vulnerability is potentially wormable due to the lack of authentication and pervasiveness of the RDP service. Although a proof-of-concept exploit has not yet been disclosed, this vulnerability should be remediated with very high priority across Windows 7, Server 2008, and Server 2008 R2. Due to the high risk of this vulnerability, Microsoft has also issued patches for Windows XP and Server 2003.