Two days before Windows 2000 entered the Extended support phase of its life cycle, Microsoft released a large bundle of security and bug fixes for the OS. Customers do not have to deploy this bundle, which Microsoft has dubbed Update Rollup 1 for Windows 2000 SP4, to get support as the OS transitions from Mainstream to Extended support, but many will want to do so because it contains more than 50 critical and important fixes for security vulnerabilities and 400-plus other bug fixes.

Focus on Fixes, Not New Features

According to a study by AssetMetrix, Windows 2000 still accounts for nearly half of currently deployed business desktops, so the potential base of customers who will benefit from the rollup is substantial.

Microsoft says it released the bug fixes in a rollup rather than creating a fifth service pack in order to make it as easy as possible to keep Windows 2000 computers up to date from a security perspective, and to reduce the amount of predeployment testing that customers must perform to deploy the updates. Microsoft says the rollup should require less predeployment testing than a service pack because it includes far fewer changes.

In fact, the update rollup contains fixes for more security vulnerabilities and other bugs than the recently released Windows Server 2003 SP1. But it is not solely the number of fixes that complicate testing scenarios for customers deploying service packs; rather, it is the number of new or changed features that Microsoft typically includes in service packs. Here, the update rollup is successful: it only changes the functionality of one component—telephony. Specifically, after installing the rollup, telephony clients will only accept encrypted remote procedure call (RPC) packets. However, this change will have little effect, as few servers are deployed in a telephony role (for example as a PBX) and most telephony clients connect to the server by a different mechanism (rather than RPC packets).

Customers who have installed the individual fixes for Windows 2000 security vulnerabilities and other bugs should still install the rollup to get the latest tested versions of the fixes. The update will be set to deploy via Windows Update and the Automatic Update service at some point in July 2005. However, Microsoft will not provide a block to defer the installation as it did with Windows XP SP2 and Windows Server 2003 SP1, because the company feels that the rollup is not as risky to deploy as a service pack.

Customers must install Windows 2000 SP4 before they can install the update rollup.

For a list of the critical and important security vulnerabilities fixed by the update rollup, as well as other background and a link to download it, see support.microsoft.com/default.aspx?scid=kb;en-us;891861.

A list of noncritical security fixes and other bugs fixed in the update rollup is at support.microsoft.com/kb/900345.