This confused me because we don’t use Windows Update, we have a WSUS server. It seems that http://ctldl.windowsupdate.com is actually used to download Certificate Revocation Lists, or rather Certificate Trust Lists. These lists tell the server / PC what certificates have been revoked as they’re now invalid, erroneous or compromised and what certificates can be trusted.
If your server was previously set up to download such lists but are now getting ctldl.windowsupdate.com showing up in your proxy logs, this may be because you have just installed KB2677070. KB2677070 updates the URLs which download the Certificate Trust List to ctldl.windowsupdate.com.