• Illustration: Fixes in XP SP2

The release of the second service pack for Windows XP poses problems for many organizations that have configured their computers to automatically apply patches from Microsoft's Windows Update site. Those computers could run into trouble because Microsoft has released Windows XP Service Pack 2 (SP2) as a critical update that will automatically install if the AutoUpdate client is enabled to download and install critical patches, but the security improvements in SP2 are not backward-compatible with many applications. To mitigate the problem, Microsoft is offering organizations a way to defer application of SP2—but organizations shouldn't delay too long.

Many Organizations Not Ready

Microsoft is moving to head off problems that will be created by automatic installation of SP2 in many organizations. Although Microsoft recommends that organizations use systems management software to manage the deployment of patches, many organizations still have computers with the AutoUpdate client configured to automatically download and install critical updates from Microsoft’s Windows Update site. Automatic Update will see SP2 as a critical update; Microsoft has labeled the service pack "critical" because it delivers well-tested patches and important configuration changes to block known security vulnerabilities.

However, SP2 makes many changes that can disable specific programs and program features. Among other things, SP2 changes Internet Explorer (IE) settings, and by default, it enables the Windows Firewall (formerly known as the Internet Connection Firewall). The service pack also tightens security in parts of the Windows core, particularly remote procedure calls (RPCs) and Distributed Component Object Model (DCOM) application-to-application communication systems. Applications that depend on the old settings and behavior of these systems will not work as expected. Therefore, some organizations need to delay the deployment and installation of SP2 until they have tested and confirmed that the line-of-business applications that they rely on to conduct their business will work with the changes in SP2.

However, many organizations did not complete their testing of SP2 prior to its release, despite the fact that Microsoft publicized the changes in SP2 early and often and ran a long and extensive beta program to help customers understand the impact of the changes and catch any problems. Customer testing has been slow in part because Microsoft made many changes to the service pack throughout the beta process. Also, Windows XP SP2 resembles a new OS release more than a service pack, thanks to many changes to low-level components and critical features of the OS, and many organizations do not have the resources to begin testing a major OS release until it is feature-complete or until there is a business need for them to upgrade to the new release. Even Microsoft appeared to have had problems getting all of its products ready for the release—an update to the Microsoft Baseline Security Analyzer (MBSA) to ensure it worked correctly with XP SP2 was not released until after the service pack.

Mitigating the Problem

To give organizations some control over when SP2 is installed on computers, Microsoft has created a Registry key that can be set to make the AutoUpdate client defer the download and installation of SP2 until Apr. 12, 2005. The Registry key only applies to SP2—other critical updates that Microsoft releases through Windows Update will still be picked up and installed by the AutoUpdate client. After Apr. 12,, computers running Windows XP with the AutoUpdate client set to download and install patches from Windows Update will install the service pack. Initially, Microsoft announced the Registry key would defer installation for 120 days, but later updated the duration to 240 days, or approximately eight months.

Microsoft has also provided the following tools to help organizations get the Registry key to affected computers:

• A Group Policy template for organizations that use Group Policy to manage their PCs
• An executable program that sets the Registry key on computers running Windows XP, and scripts to help deploy the executable to those computers
• An e-mail that can be used to distribute the executable (although this is not a recommended practice because the e-mail downloads the executable and runs it, which is also a popular social engineering approach to get users to install viruses and Trojan horses—see "Spyware Growing Security and Privacy Problem").

The executable program and the e-mail link require the user to have administrator privileges to apply this Registry key.

Longer-Term Solutions

Problems like this could be reduced in the future if Microsoft would be more disciplined with service packs, restricting them to tested collections of patches for vulnerabilities and program bugs, while using feature packs for adding or changing features. However, organizations should not rely on Microsoft to follow this course of action, but instead should deploy Group Policy or a patch deployment tool.

Group Policy. Microsoft has added more than 600 Group Policy settings in Windows XP SP2, giving organizations a large degree of control over features such as IE, the Windows Firewall, Internet communications, security (including the Security Center), and AutoUpdate. Organizations using Group Policy benefit, and in the event a workaround is needed in the future, they will have the easiest mechanism to distribute it.

Patch management tools. Microsoft has recommended that organizations use a software deployment product to manage the deployment of updates. Among Microsoft's offerings, Systems Management Server (SMS) is the preferred approach because it has the most flexibility, supports application deployment as well as OS and application patching, and can be used to monitor which patches have been applied to which computers. However, it can be expensive to acquire and initially deploy.

In contrast, Software Update Service (SUS) is a free server product recommended when SMS is not practical. It allows an organization to deploy Windows updates by effectively pointing the AutoUpdate client to use a deployment server managed by the organization, in place of the public Windows Update site. But many organizations have not deployed SUS and instead are waiting for a promised second release, Windows Update Services (WUS). It initially was to be ready about the same time as XP SP2 but has been delayed until 2005.

Spyware Hinders Installation

Microsoft has also updated its Windows XP SP2 preinstallation checklist to include a recommendation to remove any spyware prior to attempting to install the service pack. At the most basic level, spyware is software that installs without the user's knowledge or consent, monitors certain aspects of his activity, and then uses an Internet connection to transmit that collected information to a third party. Most spyware does not register in Windows' Add/Remove Programs Control Panel and is undetectable to antivirus software, making it extremely difficult for users to remove without special tools. It appears that some spyware hooks into the OS in a way that causes installation of the service pack to fail.

Not Updating Not an Option

Not installing Windows XP SP2 is not viable because, in addition to the much publicized new features such as the Security Center, and enhancements and configuration changes such as those to the Windows Firewall, Windows XP SP2 contains at least 800 fixes made to Windows XP since its release.

In particular, SP2 incorporates the changes made in the first service pack, corrects security vulnerabilities, and fixes bugs to the core OS, networking, and other subsystems. (For a breakdown of the changes, see the illustration "Fixes in Windows XP SP2".)

Availability and Resources

Information about the Registry key to defer installation of Windows XP SP2 and the tools to implement the key are at www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx.

A detailed description of how to test for application compatibility with Windows XP SP2 is available from Microsoft at www.microsoft.com/downloads/details.aspx?FamilyID=9300becf-2dee-4772-add9-ad0eaf89c4a7&DisplayLang=en.

A detailed list of the fixes in Windows XP SP2 is at support.microsoft.com/default.aspx?scid=kb;en-us;811113.

A preliminary list of applications that may seem to stop working after installing Windows XP SP2 is at support.microsoft.com/default.aspx?kbid=842242.

A preliminary list of applications that may not seem to function the same after installing Windows XP SP2 is at support.microsoft.com/default.aspx?kbid=884130&product=windowsxpsp2.

For background on spyware, see "Spyware Growing Security and Privacy Problem".

Microsoft’s preinstallation checklist for installing Windows XP SP2 is detailed at www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx.