Packing It In with Windows Server 2003 SP1

Opinion: Given how big and feature-rich the latest Microsoft service packs have been, Microsoft needs to rethink how they are installed.

Service packs from Microsoft have been making a lot of news lately—with praise, anger and confusion over whether people should be forced to deploy a service pack. But Im not here to talk about Windows XP Service Pack 2. OK, OK. Ill give you my 30-second opinion.

In general, I think its worth upgrading to SP2 for the security enhancements and improved Internet Explorer version it provides. However, the upgrade is a big jump—in many ways, its a completely new operating system.

I could easily argue that Windows XP SP2 is a bigger change from standard Windows XP than Windows ME was from Windows 98. Here at eWEEK Labs, in fact, we treat standard Windows XP and Windows XP SP2 as different versions and have different system images for each.

As for the overblown hoo-ha about people being forced to deploy SP2, I have two simple points: If a business doesnt want SP2, its IT managers can get the free Microsoft Software Update Services, point their systems at it and control what updates the systems get. Individual users who dont want SP2 can just turn off Automatic Updates. Wasnt that simple?

Now, on to the service pack issue that is really bothering me—namely, Windows Server 2003 SP1.

Overall, I really like this service pack. It takes security very seriously, and any system that has it properly deployed will be much safer from potential attacks than it was without the service pack. (Look for eWEEK Labs review of SP1 next week.) Weve had discussions with several IT managers who have been working with the betas at their companies, and it looks like things are going very well—with the proper upfront testing, of course.

But what about the—lets face it—majority of administrators who wont do the proper testing? What will the SP1 experience be like for them? Well, depending on what their servers to be updated are doing, maybe not so good.

Soon after Windows Server 2003 SP1 came out, I was checking for updates on a server in the lab and saw SP1 on the Windows Update site. The server I was checking was a production Microsoft SharePoint portal system that we in the Labs use on a regular basis, but I knew it wouldnt be a catastrophe if the server were down for a bit. I thought, What the heck? Lets see what this service pack will do. Theres nothing like testing on a real production system.

So I selected SP1, clicked the Install button and let it run its course. As with most Microsoft service packs, this meant that SP1 ran and didnt ask for any input until it asked if I wanted to reboot.

After rebooting and performing the follow-up procedures, I had a brand-new Windows Server 2003 system with SP1 running, but, unfortunately, several people couldnt access it: The system has two NICs, so it can sit on two networks; one network had full access, while the other was completely blocked.

I was aware that SP1 blocks a lot of potentially problematic services, so I decided to run the new Security Configuration Wizard to fix things. But the SP1 installation didnt install this particular wizard (although it did install the help file for it). So, rather than dig through all the settings manually and keep the system down for a lot longer, I uninstalled the service pack.

I know I did a lot of things wrong and didnt follow all best practices to a tee, but a lot of people will do exactly the same thing. So, given how big and feature-rich these latest Microsoft service packs have been, Microsoft needs to rethink how its service packs are installed.

As I said earlier, in many ways, these service packs are like a whole new version of the OS they are updating. Microsoft should treat the installs in the same way: During a service pack installation, dialog windows should appear that let the user configure the service pack properly before it installs.

With SP1, for example, it would be very useful if the Security Configuration Wizard ran during installation. That way, rather than turning off after-the-fact settings that the service pack shouldnt have made, administrators can prevent them from loading in the first place.

This is especially important when updating a server. After all, if it cant serve anything, what good is it?

Labs Director Jim Rapoza can be reached at

To read more Jim Rapoza, subscribe to eWEEK magazine.


Check out eWEEK.coms for Microsoft and Windows news, views and analysis.