IT managers are mainly enthusiastic about Windows XP's latest security update, Service Pack 2 (SP2), distribution of which has now resumed, but a significant minority say they have no plans to implement it, according to two recent surveys, one in the UK, the other in the USA. However, they are sanguine about the impact on applications, seeing it as the price you have to pay for added security.
One survey, researched in the UK by LANDesk Software and involving 400 UK IT managers, suggests that nearly three-quarters plan to deploy SP2. Almost two-thirds (63 per cent) saying that they'll have it installed by the end of 2004, their main motivation being network security. Of those who will wait, before deployment, caution about the impact of such a major update is the reason cited for the delay.
A second survey, conducted in the USA by Russ Cooper, editor of the NTBugtraq mailing list, suggests that IT managers over the pond think similarly, though they plan to be quicker to deploy. Thirty per cent of the 578 respondents said they would deploy within 30 days, 25 per cent will deploy in three months, while 14 per cent remain undecided.
Further tests with SP2 show that the extent to which SP2 breaks applications may be more extensive than Microsoft has posited.
Some users discovered compatibility problems with applications they already had tested and blamed last-minute changes Microsoft made to the XP SP2 code. "If I am upset about anything it is the fact that Microsoft did make what I consider to be significant last-minute [code] changes in the final days and weeks without providing even those with extraordinary access [to source code] the ability to test their applications," says Jeff Altman, president of Secure Endpoints.
Others found severe incompatibility problems with home-grown applications and some say the XP SP2 code is not ready for enterprise deployments. "It's sloppy code," says Ian Hayes, a security manager for a major US government contractor which he asked not be named. "This service pack may be more suitable for XP Home users but not for people who use power apps or security tools that run XP Pro." Hayes says he found that SP2 erased restore points used to roll back to a stable operating system configuration, forcing the rebuilding of some desktops. "It's going to be a long slow evaluation," he says.
A German research firm reported it found two bugs, but Microsoft officials refused to comment on what it labelled "unsubstantiated issues".
But with nearly 300 applications already affected by XP SP2, some large corporate customers aren't exiting the test phase. "We have decided not to do SP2 at this point," says Richard Mickool, executive director of information services at Northeastern University in Boston. "We're just not sure of what applications and how many it will break. Until we know what and how, we want to work carefully around that."
But others had enough incidents to know that XP SP2 won't make it out of their test labs for some time.
"We have a lot of home-grown applications that did not work well with SP2. It will be six months before we roll it out," says Chip Logan, IS manager for Alvey Systems, which manufactures material handling equipment.
Some say they are allowing for prudent evaluation periods, but say problems they are finding with broken applications is the price for converting to a more secure operating system.
Joe Doyle, network engineer for Promega, is at the start of his final three weeks of testing. "Knowing that changes to the [operating system] will help mitigate new worms and viruses and protect our users, sometimes from themselves, lets us as systems administrators sleep better at night."
"With the firewall turned on by default that means a whole class of attacks on Windows will no longer succeed. And hooray for that!" says Mark Rockman, programmer and systems administrator for Alphagenics, who already has rolled out XP SP2 on his small network without incident.
In the end, users say XP SP2's greatest feature might be that Microsoft is starting to understand security.