No XP SP2 Security Fixes for Win2K: Instead An SP2-Less 'Rollup'By Ryan Naraine | Posted 2004-12-06 Email Print
Despite recent calls from customers and analysts, none of the security enhancements built into Windows XP SP2 will be back-ported to Windows 2000, which is still used by the majority of enterprises. But what about those organizations that can't afford toMicrosoft's decision to scrap plans for Windows 2000 Service Pack 5 has effectively killed all hopes that security enhancements built into Windows XP SP2 will be back-ported to Windows 2000.
Following a spate of recent analyst reports warning of long-term security problems with the platform, some enterprise customers anticipated that Redmond would reconsider the Service Pack 5 issue. This hope has endured despite Microsoft's rejection of XP SP2 fixes for Windows 2000 as well as IE-specific SP2 fixes for orphan versions of Windows.
Instead of Windows 2000 SP5, the software giant will release an Update Rollup next year as the final security patch for the operating system. A spokeswoman said there is no chance that some of the XP SP2 security goodies will be added to the Update Rollup.
"The enhancements introduced in Windows XP SP2 will not be back-ported to Windows 2000, as this would require a significant rearchitecting to a large portion of the Windows 2000 code base," the spokeswoman told eWEEK.com.
She said the decision was based on feedback from Windows 2000 customers who said they prefer stability to new additions.
"At this point in Windows 2000's life cycle, [customers want] stability on this product, not new enhancements," the spokeswoman said, arguing that back-porting major code rewrites would lead to "substantial changes to their existing deployments."
Microsoft Corp.'s refusal to roll back some of the XP SP2 advancements, particularly those for the security-challenged Internet Explorer browser, isn't sitting well with analysts who point out that Windows 2000 remains the dominant desktop operating system used in the enterprise.
According to statistics from two major research houses, the majority of all businesses are running the five-year-old OS on the desktop, and even after mainstream support for Windows 2000 expires next June, that number will remain high.
A Gartner survey conducted in October found that enterprise Windows 2000 desktop usage is in the range of 60 percent. By the end of next year, driven by scheduled hardware upgrades, the research firm is projecting that about 75 percent of all businesses will migrate to Windows XP.
"But that means that 25 percentor a quarterof all businesses will still be on Windows 2000, and that's not something that Microsoft should be ignoring," said Gartner security analyst Michael Silver.
"Will customers be migrating [to XP] because they're trying to get the security benefits? Or are they spending money because Microsoft isn't shoring up Windows 2000 adequately? That's a legitimate question to ask," Silver said.
Microsoft insists that the coming Update Rollup will contain all security-related updates produced for Windows 2000 between the time SP4 was released and the time when Microsoft finalizes the contents of the Update Rollup.
The Update Rollup decision represents both good news and bad news for Windows 2000 customers, Silver said. "Windows 2000 SP4 will now be the base platform for all Windows 2000 variations through the end of supported life for that product, which Microsoft says will be June 30, 2010.
This is good news because service packs are hard to apply and require extensive customer testing," Silver wrote in a research note to Gartner clients. "Also, as new service packs are released, the clock starts ticking toward the end of support for the previous service pack.
"Microsoft will continue to supply patches. However, you won't have to install rollups to get Microsoft support or as a prerequisite for new patches," he said. "This makes maintaining your Windows 2000 machines in a supported configuration much easier once you have applied SP4."
On the negative side, Silver lamented the fact that some significant security improvements will not be available for the Windows 2000 platform. Another problem, he said, is that the Update Rollup could lead to compatibility conflicts.
"Microsoft runs full regression tests on service packs, but single patches are not tested as thoroughly and may be more prone to compatibility conflicts," he said.
Laura DiDio, who tracks Microsoft for the Yankee Group, echoed Silver's disappointment. "This is going to be dismaying to customers who can't upgrade because of the economic crunch. Everyone's resources are strained to breaking point. At the very least, some of the safe browsing improvements should still be back-ported," she said.
"If the projections hold, we'll still have 15 percent of all Windows customers running Windows 2000. That's a significant number and, ideally, I'd like to see Microsoft do something for those customers," DiDio said in an interview with eWEEK.com.
"Maybe it's too much of a major overhaul to do a full back-port but, at the minimum, they should address some of the more serious issues. They can start with Internet Explorer since that's been a major target."
The browser has undergone a major overhaul in SP2 to thwart malicious hacking attempts and to offer a more secure browsing experience. The most significant change was made in the way security policies are applied to deal with ActiveX Controls, the technology that is automatically downloaded and executed by the browser.
The XP service pack also introduces an improved firewall turned on by default, but Windows 2000 customers are advised by Microsoft to make use of third-party firewall products.