Tim,Everything looks fine in your ACE and it sure should work. Why dont you raise a case with Cisco TAC (technical assistance center), a TAC engineer would help you out. Meanwhile, you could try using the following ACEs -access-list 112 deny tcp any ...
Yes, since patch 3 consolidates patch 1 and patch 2, you could install patch 3 to solve this problem. You can find the release notes for patch 3 at http://www.cisco.com/en/US/partner/products/sw/cscowork/ps402/prod_release_note09186a00800e9580.html