After a nine-day postponement, Microsoft is ready to start pushing out Windows XP Service Pack 2 (SP2) to PCs running Windows XP Professional Edition.
Taken off guard by the large number of business customers who rely on the Windows Automatic Updates feature for patches, Microsoft last week postponed automatic distribution of the mammoth service pack. The software maker sent a note to corporate customers saying the delay was in response to customer requests for more time to install a registry key that will block the automatic delivery of SP2.
"When we designed Automatic Updates, we had consumers and small businesses in mind. We have been surprised by the number of enterprises who use Automatic Updates," said Jon Murchinson, a program manager at Microsoft.
Faced with concerns from business users, Microsoft two weeks ago made available a tool that allows users to set a Windows registry key that will instruct the system to skip downloading and installing the service pack for 120 days, but still download other critical updates. The tool was released one day after the network installation package for SP2.
Microsoft claims that SP2 is more than the usual roll-up of bug fixes and updates. In the light of Microsoft's new-found priority of security, the company claimed that SP2 makes significant changes to Windows' security. As a result, SP2 can render existing applications inoperable. Because of those changes, many businesses want to hold off on installing the update and are taking time for testing. Automatic Updates initially did not give users that flexibility.
Although Microsoft advises consumers to enable Automatic Updates, the company recommends businesses use patch management tools such as its Systems Management Server (SMS) and Software Update Services (SUS) or third-party products.
The initial schedule called for Microsoft to begin pushing out the already delayed SP2 to all editions of Windows XP on 16 August. Systems running Windows XP Home Edition finally started downloading SP2 on 18 August.
Thomas Smith, manager of desktop engineering at a large Houston-based company, is pleased Microsoft is listening to customers. Smith manages about 5,000 desktops running Windows XP Professional Edition, most of which use Automatic Updates.
"Microsoft finally sees the issues that we see from the corporate world about how serious this is," he said. Automatic Updates probably would have crippled his business by making certain Web-based applications inaccessible, Smith said.
Still, Smith feels Microsoft's decision to automatically push out SP2 is wrong. "I think it should never go out as a critical patch," he said. Instead, Microsoft should have offered feature updates that users could decide to install on their own terms, Smith said.
Aras Memisyazici, systems administrator at Virginia Polytechnic Institute and State University (Virginia Tech), is testing SP2 and has disabled Automatic Updates. "If it was enabled, it would cut my network performance almost in half because of all the traffic," he said. Memisyazici plans to start updating the about 140 PCs in his department in about a month by applying new software images.
Microsoft has labeled SP2 a "critical" update and urges all Windows XP users to install it as soon as possible. The software maker expects about 100 million PCs will be updated by October via Automatic Updates alone. As of March this year, Microsoft had sold about 210 million Windows XP licenses, not counting volume license sales to businesses. There are about 600 million Windows PCs in use worldwide, Microsoft estimated last month.
Caution on the side of corporate users when it comes to installing SP2 seems warranted. Microsoft has published several articles in its "knowledge base" listing over 200 applications that may not work correctly after installing the Windows XP update.
Microsoft has repeatedly urged developers and IT professionals to test SP2. A first beta of the service pack was released in December, followed by Release Candidate 1 in March and a second release candidate in June. The service pack represents one of Microsoft's most broadly tested products to date, the company has said.
While users and Microsoft are busy distributing SP2, security experts and hackers are racing to be the first to find a security problem in the software. Researchers with German Heise Security in a bulletin published 13 August said they found two problems with a security feature in SP2. Microsoft is investigating the reports, but has said it is not aware of any way for an attacker to use the flaws to gain access to a Windows machine.