Windows 2000 Service Pack 3 was released earlier this month, consolidating more than a year of security patches and other bug fixes since Service Pack 2 shipped. It, along with related documentation, can be found at www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp.
SP3 includes the contents of Service Pack 1, Service Pack 2 and Windows 2000 Security Rollup Package Version 1, as well as many additional fixes. As such, it should be applied but only after appropriate testing.
The service pack introduces three components: Microsoft Corp.s automatic update agent (which, if configured to apply updates automatically, will unfortunately also reboot machines automatically); Microsoft Installer 2.0; and a seriously ineffective tool to hide the presence of Internet Explorer, Outlook Express and Windows Media Player.
As with other service packs, caveat emptor. Windows 2000 SP3 installed without error messages for us on Microsoft Web server, Domain Name System, domain controller and IBM database server boxes running Windows 2000 Server, and weve been running those systems on SP3 for a week with no application breakage.
Others havent had that experience. SP3 early adopters posting their difficulties on Microsofts support newsgroups report crashes, blue screens on boot and other troubles on machines. Machines with Logitech Inc. mouse drivers, Symantec Corp.s Norton Personal Firewall and Promise Technology Inc. Ultra100 IDE controllers all had compatibility problems with SP3 for at least some posters. Our memory of Windows NT Service Pack 6, which broke IBMs Lotus divisions Notes servers, is still a recent one, too.
As with any major operating system upgrade, theres no substitute for local testing. Two important pre-installation tasks are updating the system repair disk before installing SP3 (as the installer advises), so a system repair can be done after the service pack install, and choosing to save system files so the service pack can be uninstalled.
We also caution that installing SP3 does not, on its own, result in a fully patched-up default Windows 2000 installation: The Windows Update site already contains a security update marked “critical” for Windows Media Player (Q320920) that is not included in the service pack.
The update site suggests upgrading to Internet Explorer 5.5 SP2, but Windows 2000 SP3 does automatically update the default Internet Explorer 5.01 installed with Windows 2000 to Internet Explorer 5.01 SP2 and so applies the latest security fixes.
The automatic update agent installed by default with SP3 is the biggest issue IT staff will need to address when deploying SP3. The default behavior of the agent is to automatically download updates but not (repeat, not) install them. Only those in the Administrator group can install patches or change Automatic Updates settings (it is controlled through a new Control Panel icon).
A big warning to administrators about configuring the agent to automatically apply updates (by default, this is done at 3 a.m. each day): This option will result in automatic system reboots whenever an update is downloaded that requires a restart.
In our tests, after configuring the agent to automatically apply updates, it waited until its scheduled time and then downloaded all the critical updates pending for the system. It then applied the updates and rebooted the system, giving us a 5-minute countdown each time, during which we could stop it from acting.
Without active intervention, however, it forces a reboot, losing changes to a number of documents we had left open. This is completely unacceptable for most sites because administrators wont be able to predict or warn users when their systems will be restarted—that will depend on what Microsoft posts to the Windows Update site.
One administrator at the University of Arizona, in Tucson, already reported on a Microsoft support newsgroup that “there have been several people here who have lost a great deal of work” because of automatic updates.
eWeek Labs does like update agent software when centrally managed, and we think including it in SP3 is the right thing to do. However, we strongly urge administrators to investigate Microsofts new Software Update Services, released in June, which allows administrators to host their own internal source for Windows updates and deploy updates on their own schedule. Software Update Services is free and can be downloaded from www.microsoft.com/Windows2000/downloads/recommended/susserver/default.asp.
If administrators choose to turn off automatic updates permanently, disabling two services, Automatic Updates and Background Intelligent Transfer Service, will do this.
Blanket Pulled Over IE
Blanket Pulled Over IE
SP3 also includes a new option to “hide” Internet Explorer, Outlook Express and Windows Media Player. This feature (prompted by the antitrust case) is installed only on Windows 2000 Professional and is astonishingly minimalist.
Administrators, do not expect this option to actually disable or remove these packages. When we unchecked the “Show this program” options in the new Set Program Access and Defaults panel, the tool did nothing more than delete the Internet Explorer, Outlook Express and Windows Media Player icons from the Start menu and Windows task bar. The programs were otherwise left fully installed and functional, and—even worse—related file associations were left in place.
When we launched an HTTP link through the Start, Run command or opened an HTML file from Windows Explorer, Internet Explorer started. When we opened an MP3 file from Windows Explorer, Windows Media Player ran just as before.
This is totally inadequate for IT staff wanting to remove these packages because of their histories of serious security problems.
eWeek Labs West Coast Technical Director Timothy Dyck can be reached at [email protected]