Windows XP SP3: We Ought to Have More of These

Opinion: Roll-up updates would make it easier for most users to stay up-to-date; splashy updates with new features scare IT into delays.

Many years ago I complained about Microsofts update policies, specifically about the sheer number of updates that were available only online. What was needed was a disk version of Windows Update. If you bought a new computer and connected to the Internet, especially for a dial-up user, you faced hours of updating from Windows Update, not to mention updating Microsoft Office.

OEMs are much better now than they were then about delivering systems relatively up-to-date, but you cant assume that systems bought off the shelf at your average electronics store are anywhere near up-to-date. What was needed, I argued, was a periodic CD update to bring Windows up to some baseline, such as Service Pack 2.


The installed base for Windows is expected to cross the 1 billion mark. Read more here.

Windows XP SP3 will be, in effect, that kind of update. All indications are that it is a simple roll-up of updates to Windows since SP2, which shipped ages ago, back in August 2004. It will add a few critical security-related updates for applications such as Internet Explorer 7 and Windows Media Player 11.

This hands-on review says there are a few small changes in addition to the roll-up. There are some changes to clarify wording in the Control Panel Security Options applet. Also, the address bar option in the Taskbar tool bar list is gone—the victim, it is said, of a "regulatory request." I guess this makes the browser too "integrated." At least it was a worthless feature.

There are also a couple of useful, if obscure features, such as kernel-level support for FIPS (Federal Information Processing Standard)140-1 Level 1 cryptography. Also, there will be improvements in black hole router detection; this is where routers drop incoming packets without informing the system.

Microsoft says SP3 for Windows XP is currently planned for the first half of 2008, but no promises on that date. Ive seen stories claiming that its release is timed to coincide with that of SP1 for Windows Vista. Why you would want to coordinate the two is beyond me, but the distinction between those two updates is interesting.

Like Windows XP SP2, Vista SP1 is viewed as an important update, a turning point for the products. XP SP2 made changes so important and consequential to XP that many at Microsoft wanted to call it a new version of Windows, but it was decided to downplay the changes as a service pack in order to accelerate adoption of it, in order to improve Windows security footing.

Vista SP1, on the other hand, was an enterprise planning target long before Vista even shipped. Obviously, there was always going to be an SP1, but the perception that many buyers were waiting for it in order to adopt Vista gave Microsoft some perverse incentives. Microsoft wants the service pack to give that air of maturity to Vista, but it has reason to avoid changes that would require substantial new testing.

For example, I had heard through the grapevine that Vista SP1 would turn DEP (Data Execution Protection) on, by default, much more extensively than in Vista or XP. This is the sort of change that can cause problems with third-party drivers. I wouldnt be surprised if Vista SP1 turns out to be more conservative than its designers had originally planned. The first big update after a release is not just about rolling up patches, its about correcting mistakes.

But once a product becomes mature, periodic roll-ups are good for users. I still havent heard from Microsoft it doesnt provide them, and its not for lack of asking. Perhaps Microsoft figures people will ignore monthly updates if there are roll-ups two or three times a year.

Its hard for some of us edgier people to believe, but there still are a lot of dial-up users out there, and a lot of DSL users with very slow connections. For these people, updating a system takes all night long on the computer, perhaps more. They alone are a good enough reason to make updating easier, but there are others.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.