The automatic update agent installed by default with SP3 is the biggest issue IT staff will need to address when deploying SP3. The default behavior of the agent is to automatically download updates but not (repeat, not) install them. Only those in the Administrator group can install patches or change Automatic Updates settings (it is controlled through a new Control Panel icon).
A big warning to administrators about configuring the agent to automatically apply updates (by default, this is done at 3 a.m. each day): This option will result in automatic system reboots whenever an update is downloaded that requires a restart.
In our tests, after configuring the agent to automatically apply updates, it waited until its scheduled time and then downloaded all the critical updates pending for the system. It then applied the updates and rebooted the system, giving us a 5-minute countdown each time, during which we could stop it from acting.
Without active intervention, however, it forces a reboot, losing changes to a number of documents we had left open. This is completely unacceptable for most sites because administrators wont be able to predict or warn users when their systems will be restarted—that will depend on what Microsoft posts to the Windows Update site.
One administrator at the University of Arizona, in Tucson, already reported on a Microsoft support newsgroup that "there have been several people here who have lost a great deal of work" because of automatic updates.
eWeek Labs does like update agent software when centrally managed, and we think including it in SP3 is the right thing to do. However, we strongly urge administrators to investigate Microsofts new Software Update Services, released in June, which allows administrators to host their own internal source for Windows updates and deploy updates on their own schedule. Software Update Services is free and can be downloaded from www.microsoft.com/Windows2000/downloads/recommended/susserver/default.asp.
If administrators choose to turn off automatic updates permanently, disabling two services, Automatic Updates and Background Intelligent Transfer Service, will do this.