Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Redmond, we have a problem here. You see, I’m finding that patching Windows XP systems to Service Pack 2 (SP2) has all of the troubles and concerns that come with an operating system upgrade instead of a major patch.

Technically, I can handle that, but I suspect there are a lot of VARs (value-added resellers) and system integrators out there who don’t realize yet that implementing SP2 properly is a huge job. More importantly, I know that most end-users aren’t aware of just how difficult upgrading their businesses to SP2 is going to be.

I’ve worked with operating systems of all kinds since the ’80s, and the closest thing I can come to the XP SP2 upgrade in terms of Windows upgrade difficulty is NT 4 SP3. That patch has something else in common with XP SP2: It was absolutely necessary.

You can argue, as I did then, that NT 4 SP3 was required to finally make NT a truly useful server operating system. Today, XP SP2 is mandatory to make XP at least reasonably secure. As it sits today, an unpatched XP system is a security disaster waiting to happen.

Click here to read why unpatched Internet Explorer is just too darn dangerous to keep using.

At the same time, though, if you’re in the Windows channel business, you’re going to have to do a lot of testing to make sure that your customers’ applications aren’t going to break under SP2. We already know that some applications will break. Microsoft’s own Microsoft Business Solutions CRM version 1.0 flat out won’t run with SP2, and you have to walk your way through a series of workarounds to get 1.2 to run.

A close look at Microsoft’s CRM troubles reveals problems that you’re sure to run into with other programs. For example, CRM 1.2 uses pop-ups, and Internet Explorer 6 after SP2 now comes with a pop-up blocker. Or if you access a Microsoft CRM server from the Internet zone, you’ll now have to manually set its URL to the Trusted Zone before the CRM client will display properly.

I also foresee other, generic applications problems emerging. The main source of these problems will be the new, improved and—most of important of all—automatic Windows Firewall, which replaces Microsoft’s old and lame ICF (Internet Connection Firewall).

For most SOHO users, simply updating their firewalls to Windows Firewall-compatible versions should take care of these concerns. For instance, the popular new version from ZoneAlarm, ZoneAlarm 5.1.011, works with SP2 and its new Security Center.

Click here to read why your PC users still will want third-party firewalls.

But corporate users who have never had a firewall on their desktop PCs are going to report a whole lot of “false” problems that will boil down a program or network resource having been blocked by Windows Firewall.

Next Page: Positive changes for Internet Explorer.

You can work on preventing this kind of problem by using the new Group Policy settings to set up the firewall ahead of time, and then limiting users’ ability to modify these settings. By default, there are two profiles: a domain profile for use when the computer is on the corporate LAN, and a more restricted standard profile that’s suitable for laptops and remote computers that are outside the company network.

SP2 also makes many positive changes to Internet Explorer. Most of these boil down to restricting the use of ActiveX controls, Browser Helper Objects, toolbars and other browser extensions. The downside is that this also means you’re going to need to manage these—or let the users do it, which is downright foolish—to make sure that any custom, Internet Explorer-driven application will work.

You’re also going to need to update your anti-viral programs to work properly with SP2’s new Security Center. If your users have been making do with older versions of anti-virus programs, they may find themselves seeing false negatives about their anti-viral program being out of date. That’s sure to add a few more calls to the old help desk.

The anti-viral companies are working on addressing these issues. For example, Symantec promises to have more information on its security suite and SP2 out on Aug. 10. But even once these updated programs are out, you’ll need to check them out for compatibility and then deploy them.

Of course, to do all of this properly, you’re going to need to test all of the typical client hardware and software setups to make sure the settings are right in the first place. In other words, you’ll need to test this patch just as you would a new operating system.

These are all technical problems. We can overcome these. It’s what we, as VARs and integrators, do for a living.

No, the greatest problem the channel faces is twofold. The first is that IT managers don’t seem to realize that they really must upgrade. The second is that the CIOs and chief technology officers need to realize that when they call us in to make the upgrade, getting SP2 in and working properly is a major job. This isn’t a come in and do it over the weekend job.

If Microsoft wants to do its partners a big favor, even bigger than helping us with the SP2 technical issues, the folks in Redmond need to start getting the word out to companies that upgrading to SP2 is a big project and that they should plan appropriately. If not, well, expect a lot of unhappy customers out there when they find that you’re still there, still working and still billing them a few weeks from now. Microsoft? Could we have a little help, please? Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late ’80s and thinks he may just have learned something about them along the way.

Check out’s Windows Center at http://windows.eweek.comfor Microsoft and Windows news, views and analysis.

Be sure to add our Windows news feed to your RSS newsreader or My Yahoo page