Push Is Coming to Shove for XP SP2 Deployment

By John Pallatto  |  Posted 2005-04-06

Push Is Coming to Shove for XP SP2 Deployment

Affecting all the XP users who have been avoiding or procrastinating about installing the Windows XP Service Pack 2 upgrade, Microsoft is about to make the decision for them.

On April 12, Microsoft Corp. is scheduled to turn on its Automatic Update service, which will deploy the XP Service Pack 2 to all PCs connected to the Internet regardless of whether corporate IT departments or individual PC users have prepared for it.

SP2, developed to fix critical security holes and deploy performance enhancements, was originally released in September 2004. But in response to customer complaints, Microsoft suspended the automatic deployment for eight months to give users time to prepare for the upgrade.

With the upgrade deadline looming, one study shows that the vast majority of companies running XP have actively avoided the upgrade or simply ignored the problem.

The study, by AssetMetrix Research Labs of Ottawa, Canada, showed that only 24 percent of Windows XP PCs have been upgraded to SP2.

"This whole thing reminds of those days back in college when you asked for a two-week extension on the due date for a midterm paper," said Steve OHalloran, managing director of AssetMetrix Research Labs. "But the weekend before the paper is finally due, you still havent done any work," he said.

The AssetMetrix study of 136,000 PCs at 251 North American corporations showed that only 7 percent of the companies studied have actively accepted and deployed the upgrade.

Of the remainder, 52 percent hadnt established any policy or plans for the SP2 upgrade, and 40 percent were actively avoiding it.

The results were surprising, OHalloran said, because the study managers expected that companies would adopt more decisive policies to either upgrade to XP2 or to hold off until they were better prepared to deploy it.

"Instead we found many, many customers with a mixed mode of XP Service Pack 1, XP SP 2 and even the original edition of XP," he said.

The study didnt closely examine the reason why companies werent upgrading, OHalloran said. But the study indicates that many organizations are ignoring security threats or future application compatibility issues if they decide not to deploy Service Pack 2, he said.

To help large enterprise customers with the SP2 upgrade process, Microsoft updated its Application Compatibility Toolkit in March.

The toolkit includes three security-focused evaluation tools to help customers identify the common issues caused by SP2s increased security settings.

To read more about reported weaknesses in Microsofts Windows XP Service Pack 2, click here.

Preparation is the key when deploying SP2 in a corporate environment, according to IT managers at two different organizations.

Both managers reported that they experienced few problems when they ran the upgrade. But both were careful to perform test installations before widely deploying the updates.

"We deployed SP2 right away, so it was a high priority, said Frans Keylard, an IT administrator with Northwest Head and Neck Surgery, Renton, Wash.

"SP2 didnt break any applications, but then again, we are behind a very hard firewall that is outside our control" because it is maintained by the hospitals IT department, Keylard said.

Next Page: Testing is critical.

Testing is critical

"We checked the list of problem applications Microsoft provided and found no issues, so we did a test install on a few boxes" and checked how it worked with the hospitals main applications, he said.

"Everything has been running smoothly," Keylard said, mainly because the hospital doesnt have any older legacy applications and because key applications such as its major scheduling application and its e-mail system are Web-based Microsoft .Net applications, he said.

Keylard said that in general, he believes people need to "learn to be more proactive and [know] how to protect themselves" because there is plenty of malware circulating that could cause problems.

The best solution, he said, would be "a full-auto update" so no user intervention is required at all.

Keylard indicated that he couldnt understand why some organizations and individuals have delayed updating their systems.

"My question is whether other IT organizations have concrete reasons to delay SP2 installation, or if they are simply stalling in the hope that non-specific bugs are fixed," he said. Keylard said he suspected "this is a common mentality."

Click here to read about a critical firewall bug fix that is included in an SP2 update.

Testing also helped the South Carolina Department of Parks, Recreation and Tourism to carry out a fairly smooth SP2 deployment, said Bernie Robichau, network administrator and security officer with the department.

The department deployed it on more than 400 desktops and laptops in September 2004 after testing the deployment on a small subset of machines, he said.

"We have had no significant issues with SP2 and a few minor issues that we dealt with on a one-by-one basis," he said.

However, some testing and tweaking of the update routine was necessary to ensure smooth operation, he said.

"We used the Windows Server 2003 Group Policy to modify the way SP2 worked in our enterprise," he said.

The changes were necessary because "the vanilla install would not have worked out for us," he said.

"I can see why people would be frightened about system upgrades coming down o their machine unsolicited," he said. This may be why some organizations have been "delaying the inevitable," he said.

But you can "mitigate the problems of SP2 if you know how it works with the Group Policy and you know how it will affect your specific environment," Robichau said.

"Testing, testing, testing–that is important," he said.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Rocket Fuel