Should You Put Windows XP SP2 Deployment on Autopilot?By Larry Seltzer | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Opinion: Microsoft has recommended that most users acquire SP2 via the Automatic Updates feature and has provided tools for corporations to do this. Is it a good idea?I've seen reports of people who are shocked! Shocked to hear that there are applications and network configurations that fail to function under Windows XP Service Pack 2.
After years of complaining about security problems in Windows, Microsoft finally does the right thing and plugs many of the holes even at the cost of breaking functionality of software. I, for one, am not shocked to see them criticized for doing just that. Of course, it's almost the point of XP SP2 that it breaks these configurations. We shouldn't be surprised to find issues with Service Pack 2. We shouldn't take too much time in adopting SP2. But we should test it.
If you're responsible for a large number of Windows XP systems and you don't have an explicit test network, you should already have designated a small sample of typical systems as guinea pigs for the release candidates, and therefore the changes in the program should be no surprise to you. Move on to the release code on these systems for final testing and then to a staged deployment.
How should you deploy SP2? Microsoft has been recommending to consumers to turn on Automatic Updates and let SP2 install on its own. This may be the best way for business networks too. Set up a Windows SUS (Software Update Services) Server, free for those with a license to the Windows 2000 and Windows 2003 Servers on which they run, and use group policies to point the Windows XP clients to it for their updates.
Some have suggested on security mailing lists that this is irresponsible, I guess because Microsoft has typically not allowed service packs to be installed through automatic updates. I have to wonder why not. Automatic Updates is a statement that you are trusting Microsoft to install software on your system to make it safer, and that's what SP2 is all about. Is a service pack, especially one that has been so thoroughly tested, really that much more dangerous to install this way than any of the smaller fixes that normally go through Automatic Updates?
If you're a single user and you don't like what SP2 has done to your system, you can get rid of it. There is an explicit uninstall option in Add/Remove programs. You can also use System Restore to put the system state to where it was before SP2. I just tested this and it's slow, but works. You don't even need to be able to boot. I booted into Safe Mode With Command Prompt (after pressing F8 during Windows boot) and ran system restore by typing %systemroot%\system32\restore\rstrui.exe (where %systemroot% is probably c:\windows). Follow the program and you'll find a restore point named "Installed Windows XP Service Pack 2".
Some smaller business networks run Automatic Updates in client PCs for the smaller Windows security updates it provides, but don't want to pull in the massive SP2 without further testing. But Microsoft has promised to deliver tools to let you temporarily disable and then re-enable delivery of Windows XP SP2 via Automatic Updates and Windows Update. This will give you a chance to do your testing first. The tools, along with a ton and a half of information on deploying SP2, will be found on Microsoft's SP2 TechNet page. (They're not there yet.)
If you're a network administrator, you should already be testing SP2 deployment. You've had lots of time to investigate on the release candidates. The longer you wait, the longer you leave your users in a more vulnerable state than they need to be.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.