After nagging by myself and others, Microsoft back in February finally came out with a Windows Update CD. Its a CD version of the key updates to Windows that you would get by running Windows Update.
Of course, Windows gets a lot of updates, so every time you go to the Windows Update site you download many megabytes. Its enough to discourage any user and enough to make a dial-up user give up and just be insecure. Thats what was so cool about the Update CD: Everything, or almost everything, you needed would be on the CD and would install quickly. Then, if there was more necessary, it would be a relatively small download.
But after releasing one CD in February, which was difficult to obtain and took weeks or even months to deliver, Microsoft has let the Update CD idea pass. I asked a while ago about any updates to it, and Im still waiting for a response. Too bad. I dont see why they dont want to do it. But if they were serious about it, they would have made it much easier to get, they would have updated it frequently, and they would have provided ISO images for download so anyone could burn CDs for anyone else.
But you dont need those CDs. You can make one yourself. Sort of. Through a little-known feature of the Windows Update site, you can download the updates yourself, individually, and apply them yourself. Its not perfect, and its not as good as Windows Update or the Microsoft Update CD, but it has a lot of advantages over Windows Update for a lot of people. For example, when you first boot that machine up and go to Windows Update to install your security patches, you might well be attacked utilizing one of the vulnerabilities patched in the patches you havent got to yet.
Obviously, someone will need to be connected to the Internet with Internet Explorer for this scheme to work, so the point is to do this prophylactically. You make this CD, and then you can take it to your poor friend/relatives house, the one on AOL with a 28.8K-bps connection, and get them just a little better off.
First, point your copy of Internet Explorer to the Windows Update Catalog. (Sorry, no other Web browsers allowed, but you can get all Microsoft updates with any browser the even harder way at the Microsoft Download Center.) Click the first link “Find updates for Microsoft Windows operating systems.” You will see a listbox with Windows versions. From this we can already see that the updates we download will probably (not necessarily, but you must assume this will be the case) be specific to a version of Windows and probably a particular service pack. Select the right one for you and a language and press Search.
Youll see a list of categories of updates, with the most important one—Critical Updates and Service Packs— at the top. Click on it, and a list of updates appears magically below. Click the Add button for each one you want, and it will be added to your “Download Basket” as if you were shopping on a commerce site. You need to be careful about which version of Windows you choose in the previous step. I find that the difference between “Windows XP SP1” and “Windows XP Professional SP1” is large; with the latter I didnt see any security fixes.
Dont just go clicking everything. If you read carefully youll see a lot of stuff you dont need, like updates to the Korean version, lots of updates just for the Media Center version of Windows and the MyDoom removal tool. When youre done, click the “Go to the download basket” link. From here you can click a browse button to find a location to download the files to. Fill it in and click Download Now. Youll have to accept a bunch of agreements and then the downloading starts.
You might have noticed in the list of updates that some of them were “cumulative updates.” This is another reason Windows Update is better and that Microsoft really should have provided offline software: If we go through all these updates, one by one, well be applying a bunch of redundant updates. Theres no easy way around this problem, but there is a hard one. After your download is over you will see a Download History listing all the updates you just downloaded and the dates of their issue. This at least gives you an order from which to begin. Working from most-recent backward, when you find a cumulative or rollup update, open up the description and read it to determine which older updates you can cut from the list and delete from the download directory.
One last tip: You will have to do a lot of rebooting, but you may be able to limit the number of reboots using some tools Microsoft provides. See Knowledge Base Article 296861—How to Install Multiple Windows Updates or Hotfixes with Only One Reboot. Read carefully. This stuff works sometimes and sometimes not.
So, is all that worth it? Im not so sure, but I see a third-party opportunity, perhaps by one of the patch management companies, to take a catalog like this and make it easier to install. But it shouldnt have to come to that. Microsoft should be providing this.
Perhaps Microsoft is just waiting for Service Pack 2 of Windows XP and that will be their answer to everything. Im sure that SP2 CDs will be easy to come by (wishful thinking?) and its still generally regarded as a huge security improvement, but its not a good excuse for letting things slide in the interim. And not everyone uses Windows XP. Its clear that Windows 2000 users wont get the same security enhancements in XP SP2, but they deserve better access to the updates that Microsoft is supplying.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer