It's entirely possible that you'll find issues in testing. They may not be big problems; the firewall may be blocking a port you use and you might just open it. In other cases you might take the opportunity to rethink an application. I've seen one program (DivX video) that breaks on SP2 on systems with support for SP2's Data Execution Protection, the ability to detect buffer overflows. Their solution? Turn off the protection, at least for their programs. Does this seem worth it to you? In fact, this is the perfect example of the kind of program that will have to change.
How should you deploy SP2? Microsoft has been recommending to consumers to turn on Automatic Updates and let SP2 install on its own. This may be the best way for business networks too. Set up a Windows SUS (Software Update Services) Server, free for those with a license to the Windows 2000 and Windows 2003 Servers on which they run, and use group policies to point the Windows XP clients to it for their updates.
Some have suggested on security mailing lists that this is irresponsible, I guess because Microsoft has typically not allowed service packs to be installed through automatic updates. I have to wonder why not. Automatic Updates is a statement that you are trusting Microsoft to install software on your system to make it safer, and that's what SP2 is all about. Is a service pack, especially one that has been so thoroughly tested, really that much more dangerous to install this way than any of the smaller fixes that normally go through Automatic Updates?
If you're a single user and you don't like what SP2 has done to your system, you can get rid of it. There is an explicit uninstall option in Add/Remove programs. You can also use System Restore to put the system state to where it was before SP2. I just tested this and it's slow, but works. You don't even need to be able to boot. I booted into Safe Mode With Command Prompt (after pressing F8 during Windows boot) and ran system restore by typing %systemroot%\system32\restore\rstrui.exe (where %systemroot% is probably c:\windows). Follow the program and you'll find a restore point named "Installed Windows XP Service Pack 2".
Some smaller business networks run Automatic Updates in client PCs for the smaller Windows security updates it provides, but don't want to pull in the massive SP2 without further testing. But Microsoft has promised to deliver tools to let you temporarily disable and then re-enable delivery of Windows XP SP2 via Automatic Updates and Windows Update. This will give you a chance to do your testing first. The tools, along with a ton and a half of information on deploying SP2, will be found on Microsoft's SP2 TechNet page. (They're not there yet.)
If you're a network administrator, you should already be testing SP2 deployment. You've had lots of time to investigate on the release candidates. The longer you wait, the longer you leave your users in a more vulnerable state than they need to be.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.com's Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: 
More from Larry Seltzer
Commentary 
