Neil Turner's Blog

Blogging about technology and randomness since 2002

Deployed SP2 yet?

Microsoft has extended the SP2 blocker to April. So now Automatic Updates won’t install SP2 until a whopping 8 months after the patch became available. Great :-/ .

A lot of companies are claiming that SP2 is a big update and that they need time to test their systems and ensure that their existing software works – and acquire patches or replacements for software that doesn’t work. Which is fair enough.
Except that there’s been a publicly available release candidate of SP2 available for 5 months now. Now, okay, it wasn’t the final release, but it was a release candidate and there haven’t been any huge changes since. Any company that really cares about security (which should be all of them) would have set aside some test machines with setups identical to those used within the organisation and then deployed the release candidates on it when they were available and then tried to work around them. Then, when the final patch came out, they could install that, ensure that any of the minor changes in it didn’t affect anything, and then deploy it.
Of course, you’ve got the problem of software houses that haven’t released SP2-compatible patches for software yet, and so holding back for them is advisable. But then surely the software houses should have been keeping an eye on SP2 as well.
Despite what has been put forward in the media, SP2 is not just Windows with a better firewall and popup blocker. There have been some major architectural changes to considerable parts of the operating system to ensure that any security flaws discovered in future won’t adversely affect systems in the way that CodeRed, Nimda, Blaster and Sasser have. Things like prevention of Buffer Overflows and the locking down of DCOM – backend stuff that means nothing to many users but ultimately will make Windows less exploitable in future.
We’re now hitting a time where “0-day vunerabilities” like Download.ject, where code for exploiting flaws is found in the wild before the flaws have been reported, are getting more common. We can’t rely on patches and hotfixes for ever – we need to stop these problems form happening in the first place. And SP2 goes a long way towards that.
Microsoft will have extended the grace period for SP2 because of pressure from its consumers but had those customers and the other software providers been better prepared this wouldn’t have been necessary. By all means test patches out, but you’re already 4 months behind. By the time April comes around, there will have been a publicly-available version of SP2 available for a whole year, and resources for dealing with the changes in SP2 freely available for almost as long.
If you think I’m living in some fantasy world then you may be surprised to hear that some companies have done exactly what I have suggested, and they’re now running SP2 across the enterprise. The company that LordRich and Cobaltfish work for deployed it last month. Okay, so they’re not exactly Novell or IBM but if they can do it then so can many others.


  1. Except that there’s been a publicly available release candidate of SP2 available for 5 months now. Now, okay, it wasn’t the final release, but it was a release candidate and there haven’t been any huge changes since.
    But there might have been, meaning work based on the RC could have been wasted. I do see your argument, but there is a counter-argument that companies/institutions should wait until the software is finished before investing any resources into applying it. I can see this being particularly compelling to the non-tech managers, who control the resources!
    Techs understand the difference between a RC and a final release, but imagine explaining it to a Finance Director who might have just about grasped the concept of beta software “It’s a working version? Come back when it’s ready, then.”

  2. We haven’t deployed it yet because goldmine, symantec antivirus, our terminal emulator package and parts of microsoft office do not work with sp2….
    We tested it a long time ago and found it didn’t work but have not had any bug fixes from software companies that we use.
    I guess it doesn’t help that we aren’t necessarily on the most uptodate version of the software (but even the most recent versions aren’t patched)

  3. My partner works for Microsoft. Her department has not switched over to SP2 yet. Why? Because some of the software her department relies upon breaks when SP2 is installed. One of the more crucial pieces of software that breaks was developed internally by Microsoft (it’s a sceduling and production flow management tool). The department that developed that software places her department’s needs lower on the priority list, so it’s not likely that she’ll be using SP2 for a couple of months.

  4. I’ve switched to it. No real issues so far, at least on my home PC. I’m not brave enough (yet) to install it on my laptop PC (where most of my “real” work gets done), and my office hasn’t deployed it yet, either.
    The security features which were supposed to be a big selling point of SP2 seem to have left most of the world rather disappointed (though it’s still better than the *complete* lack of security in SP1).
    Time will tell…