Should You Put Windows XP SP2 Deployment on Autopilot?

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Opinion: Microsoft has recommended that most users acquire SP2 via the Automatic Updates feature and has provided tools for corporations to do this. Is it a good idea?

I've seen reports of people who are shocked! Shocked to hear that there are applications and network configurations that fail to function under Windows XP Service Pack 2.

After years of complaining about security problems in Windows, Microsoft finally does the right thing and plugs many of the holes even at the cost of breaking functionality of software. I, for one, am not shocked to see them criticized for doing just that. Of course, it's almost the point of XP SP2 that it breaks these configurations. We shouldn't be surprised to find issues with Service Pack 2. We shouldn't take too much time in adopting SP2. But we should test it.

If you're responsible for a large number of Windows XP systems and you don't have an explicit test network, you should already have designated a small sample of typical systems as guinea pigs for the release candidates, and therefore the changes in the program should be no surprise to you. Move on to the release code on these systems for final testing and then to a staged deployment.

It's entirely possible that you'll find issues in testing. They may not be big problems; the firewall may be blocking a port you use and you might just open it. In other cases you might take the opportunity to rethink an application. I've seen one program (DivX video) that breaks on SP2 on systems with support for SP2's Data Execution Protection, the ability to detect buffer overflows. Their solution? Turn off the protection, at least for their programs. Does this seem worth it to you? In fact, this is the perfect example of the kind of program that will have to change.

Next Page: Why not use Automatic Updates?

How should you deploy SP2? Microsoft has been recommending to consumers to turn on Automatic Updates and let SP2 install on its own. This may be the best way for business networks too. Set up a Windows SUS (Software Update Services) Server, free for those with a license to the Windows 2000 and Windows 2003 Servers on which they run, and use group policies to point the Windows XP clients to it for their updates.

Some have suggested on security mailing lists that this is irresponsible, I guess because Microsoft has typically not allowed service packs to be installed through automatic updates. I have to wonder why not. Automatic Updates is a statement that you are trusting Microsoft to install software on your system to make it safer, and that's what SP2 is all about. Is a service pack, especially one that has been so thoroughly tested, really that much more dangerous to install this way than any of the smaller fixes that normally go through Automatic Updates?

If you're a single user and you don't like what SP2 has done to your system, you can get rid of it. There is an explicit uninstall option in Add/Remove programs. You can also use System Restore to put the system state to where it was before SP2. I just tested this and it's slow, but works. You don't even need to be able to boot. I booted into Safe Mode With Command Prompt (after pressing F8 during Windows boot) and ran system restore by typing %systemroot%\system32\restore\rstrui.exe (where %systemroot% is probably c:\windows). Follow the program and you'll find a restore point named "Installed Windows XP Service Pack 2".

Some smaller business networks run Automatic Updates in client PCs for the smaller Windows security updates it provides, but don't want to pull in the massive SP2 without further testing. But Microsoft has promised to deliver tools to let you temporarily disable and then re-enable delivery of Windows XP SP2 via Automatic Updates and Windows Update. This will give you a chance to do your testing first. The tools, along with a ton and a half of information on deploying SP2, will be found on Microsoft's SP2 TechNet page. (They're not there yet.)

If you're a network administrator, you should already be testing SP2 deployment. You've had lots of time to investigate on the release candidates. The longer you wait, the longer you leave your users in a more vulnerable state than they need to be.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com's Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...