I think the fact that a patch fixes one use case was never considered enough justification for the patch correctness.
To clarify a bit, I think in the current form the patch will break things for apps without any custom CSP present. Imagine an app accessing root store from the two threads, one is in process of initializing that root store. The other thread should wait for it to finish before going forward and get correctly populated store.
The latter could be technically solved by, e. g., detecting the recursion here and exiting the function only in this specific case. This at least would not obviously break existing functionality, but I'd think it is a bit ugly and doesn't solve the core problem. I guess it needs some work to evaluate why do we have to load those CSP providers at all during cert store population and whether we can sanely load only those needed (unless anyone knows that offhand). I am not bringing up the question about tests here even because it looks rather obvious that this CRYPT_ImportSystemRootCertsToReg() is a Wine-specific thing and on Windows the root store is not populated on the first use.