Ready or Not, Here comes Windows XP SP2

TheViffer writes "Beginning April 12, 2005 Microsoft will remove all temporary blocking of Windows XP SP2 by automatic update and Windows update which it has granted to those organizations that requested it. So unless you run Software Update Service (SUS), chances are you will get a mix of SP1 and SP2 running at the same time. Let's just hope you have these programs that are known to experience a loss of functionality when they run on a Windows XP Service Pack 2-based computer and these programs that seem to stop working after you install Windows XP Service Pack 2 patched, upgraded, or removed. Might be a good time for help desk personal to pencil in a week (or two) of vacation."

Never mind the fact....

[MSFanBoi (695480)]

That nearly all the programs on that list are very old, or already have updates for SP2. Hey what the hell, it's Microsof so lets bash them anyways. Sp2 does a LOT of good things for the average Joe in protecting him from his own stupidity.

Re:Never mind the fact....

[jacksonj04 (800021)]

Looks like moderators are on form today.

This is absolutely my argument. If applications use shortcuts which are blocked the instant security is applied, more fool the programmers. There are documented ways to do things, if you use shortcuts then don't blame the OS vendor when those shortcuts are locked down.

Re:Never mind the fact....

[SunFan (845761)]

SP2 is better, that really isn't a point of argument. The only thing that nags at me is why Microsoft didn't do this ten or so years ago, when home users were beginning to connect to the Internet in large numbers. It isn't like stack protection is new technology, nor is having basic firewall functionality available. These two things are probably among the easiest things to implement security-wise, with many examples to follow. If Microsoft had moved the Outlook Express "File Attachments Convenience Team" over to the "Basic Firewall Team" they would have saved themselves a ton of grief.

Re:Never mind the fact....

[Zeinfeld (263942)]

SP2 is better, that really isn't a point of argument. The only thing that nags at me is why Microsoft didn't do this ten or so years ago, when home users were beginning to connect to the Internet in large numbers. It isn't like stack protection is new technology, nor is having basic firewall functionality available.

Until the Windows 98-XP transition was completed there was no point. There is no way to make Win 98 secure, too much support for legacy systems. Sure you could do a firewall, but it would be too easy for a trojan to disable it. I don't think the stack protection scheme would work in Win-98.

We waited ten years for Apple to get its act together and finaly release OS-X and give us basic memory protection.

The hold up here is because there are a bunch of corporate IT departments who have not got arround to making XP SP2 deployment a priority which in turn is because many of them have a small number of apps that are not SP2 compliant.

All I use my machine for is Office, IE and Visual Studio. But I have to wait until they have checked out several hundred Oracle, Clarify etc. apps.

Scientific software is disproportionally affected

[tetromino (807969)]

One of my relatives works in a biochemical research lab. All of their computers are WinXP Sp1 because Sp2 basically broke every single program and driver they relied on for their daily calculations, data acquisition, and analysis (some of the software is commercial, and some was custom-written by people who are currently residing in Eastern Europe and Brazil). Naturally, every worm outbreak hits them hard -- but they think it's worth it to clean up a worm once every couple of months rather than struggle with their bread-and-butter programs locking up on Sp2.

Sp2 is great for the average Joe who uses his box for email and pr0n, but if you are using your computer as a scientific instrument, then installing Sp2 changes (and breaks) too many things.

(In case you are wondering, the reason they don't switch to Linux is that some of their data acquisition hardware doesn't have good Linux drivers)

Re:Scientific software is disproportionally affect

[LurkerXXX (667952)]

If SP2 is breaking stuff, 99% of the time is because it's trying to use some network port that is now blocked with the firewall. Just sniff the traffic going in/out of one of the SP1 boxes, see what ports the apps seems to require, then open those ports after installing SP2 (or turning on the firwall in SP1)

Re:Never mind the fact....

[lcsjk (143581)]

Tell that to Aunt Susie.

Re:Never mind the fact....

[anonicon (215837)]

"I don't see the problem here unless it is an incompetent sysadmin."

You mean the 90+% of the public that doesn't have a sysadmin on staff in their home?

Should be fun.

They don't deserve vacation

[by Anonymous Coward]

They've had plenty of time to complete any migration. The application issues have been known for enough time, that if this is still an issue, they've been slacking off for too long.

SP2 is actually a good thing.

[bigtallmofo (695287)]

I know that it breaks some programs and has caused some people problems, but the alternative of ridiculously insecure Windows boxes running rampant is worse.

I've been running Windows XP SP2 on all of my computers (which admittedly is a small population of 3) with no problems. The built-in popup blocker is more rigorous than anything else I've seen and itself breaks many things (most amusingly Outlook Access for Web), but for the most part is plays fairly nice.

Re:SP2 is actually a good thing.

[demaria (122790)]

"Installing Service Pack 2 will not affect Norton AntiVirus." source: symantec.com
"Installing Service Pack 2 will not affect Norton SystemWorks." source: symantec.com
McAfee support site shows how to load their web downloaded products with SP2. It's just an approval of an activeX control.
"BlackICE PC Protection and BlackICEServer Protection work fine with Windows XP's Service Pack 2." source: iss.custhelp.com
"All ZoneAlarm products (5.1 and higher) are compatible with XP SP2." source: zonealarm.com

Re:SP2 is actually a good thing.

[the_weasel (323320)]

So because it doesn't solve ALL the issues, it has no value?

Thats a pretty restrictive view, and won't get you very far.

Re:SP2 is actually a good thing.

[flosofl (626809)]

Firewalls should be dedicated hardware devices that monitor traffic connection in and out of the local network.

I beleive that's known as the "cruchy outer shell - chewy middle" type of security. This looks nice and effective, but in some industries (i.e. banking) internal threats are much more prevelant. Yes firewalling subnets internally will help, but it does nothing for someone attacking a workstation (or server - but those should have their own subnet) on the same subnet.

For true defense in depth, I would recommend Host-based IDS in conjunction with network IDS and firewalling all workstations. If firewalling may be beyond your resources, at least lock down any extraneous services, enforce strong password/passphrase, start using 2-factor auth if you can. I work at a huge international bank, and in the past year at least one internal employee has been caught trying to harvest information (not client information - but information that would place him one step closer to getting client info). He was caught because of defenw-in-depth. If we had only firewalled the subnetworks, we would not have known an internal attack was happening (and who's to say we would have caught him as moved to more and more sensitive info).

Even though bank employees have backround checks run (just for prior criminal convictions), sometimes these are just first-time "opportunity" crimes. Similar to someone seeing a car with the keys in it and who just can't resist taking it even though he may have never done an illegal thing in his life. Hell, I remember (years ago) when I was a help-desk drone just wandering the network to see what was there, and sometimes came across potentially damaging information. I didn't do anything, but someone else could have. By having high granularity in your security system you can vastly reduce these internal instances (or at least make detection and mitigation much, much easier).

At least this time

[2names (531755)]

we have a list we can refer to. So many times in the past it was just a "try it and see" situation.

A Good Thing

[Skuggamara (853341)]

In my humble opinion, this is a good thing. I run a decent sized IT shop, and I feel that not upgrading to SP2 is akin to connecting your computer/network to the internet without a firewall.

Re:A Good Thing

[A beautiful mind (821714)]

Let's see if they can break my unfirewalled VMS or Twenex (TOPS-20) system ;))

I would like to believe that any intelligent system shouldn't need firewalls.

Re:A Good Thing

[AndroidCat (229562)]

SP2 comes with a firewall..? :) (They might call it a firewall, but a lot of home users will be surprised when they use subnet for file-sharing and open it up to a 255.255.255.0 on their ISP. And the lack of egress blocking is bad when all MS software wants to talk to the Internet.) "Better than nothing" isn't much of a selling point, except for very small values of nothing.

Re:A Good Thing

[Caiwyn (120510)]

"Better than nothing" isn't much of a selling point, except for very small values of nothing.

That's bull. "Better than nothing" is the only selling point, for any application. A Cisco PIX firewall isn't perfect, either, but it's better than nothing. The entire issue at hand is the fact that most Windows users are clueless enough to be connected to the internet without any sort of firewall protection. SP2 will install a firewall that by default blocks all incoming new connections, which is what you want a firewall to do in almost all general cases. "Better than nothing," particularly in this instance, is a huge leap from "nothing." Compatibility be damned, I say it's nice to see Microsoft making a decision to break compatibility for the sake of security, for once.

Last Post!

[AtomicSnarl (549626)]

I'm going to upgrade XP now.... ummm....

Why?

[eznihm (552487)]

No need for a vacation inept geeks, you can turn off Automatic Updates with group policy and you can block the windowsupdate.com site at the firewall. That is, if you *really* don't want SP2.. which IMHO seems to be (relatively!) quite stable and secure.

Why SP2

[Beetjebrak (545819)]

What does SP2 seriously add to the corporate desktop? Admittedly I haven't been in charge of windows desktops since Win2K, but I can't immediately see any advantage. Only support nightmares concerning the builtin firewall. Is a personal firewall really needed on every secretary's desk? I would hope not... they're not supposed to run any unauthorized services other than those required for remote control/remote software deployment.

Re:Why SP2

[smash (1351)]

I'd say a desktop firewall is still a good idea.

Scenario: Manager takes his laptop home on the weekend, or (even better), takes it on a business trip, and plugs into the wireless lan at the airport.

He picks up a copy of MyDoom version super alpha turbo+.

2 days later, he gets back and plugs it into the corporate network in your office.

How many of you can say that *every* windows machine you have on the corporate network is up to date? Thats assuming there's already a patch for Mydoom version supera alpha turbo+ at that point?

The days of the perimeter firewall being all you need are well and truly over (and some would say they were never apparent anyway).

smash.

Don't use windows firewall, update your software

[Zed2K (313037)]

How many of those programs in the list are either old versions, have been updated for awhile now, or can be fixed by just disabling windows firewall?

I bet the majority of them.

I'm still waiting for a slashdot post to strike fear into the hearts of everyone about the end of the world being near.

"help desk personal"

[by Anonymous Coward]

I am looking for a SWM that can keep his call times down to 5 minutes.

I'm curious...

[Xentax (201517)]

Does anyone know if the appcompat system can be used to provide an XPsp1 (or earlier) environment *only* for apps that break in SP2?

I'm asking both "if" it could be done, and whether it IS in fact an option if so.

That seems like a better solution, IMHO, than holding off on upgrading to SP2 forever, if it could be made to work. Of course, I don't think there's any easy way to centrally deploy or manage appcompat stuff, either... :/

Xentax

Ready or not, here comes the FUD

[TrappedByMyself (861094)]

Might be a good time for help desk personal to pencil in a week (or two) of vacation.

Give it up people. I run at least a half dozen of the applications on those lists on a few XP machines with SP2, and have had exactly 0 problems.
When will the "bashing Microsoft makes me feel good" trend end?

Re:Ready or not, here comes the FUD

[A beautiful mind (821714)]

1. I'm not bashing MS personally, i'm just not using it.

2. It will exactly end at the same time when the "pointing-out-that-slashdot-bashes-ms" threads stop sucking up karma. When will people understand that these are two sides of the coin, where rationality is somewhere between, although it occurs exactly as often as you see a coin on it's edge.

I don't understand this whole "service pack" thing

[Capt'n Hector (650760)]

Seriously. On my side of the fence (OS X), we have Security Updates that are released as soon as possible after a hole is found. Then, we have major Updates (10.3.1, 10.3.2, etc). If you're more than one version behind, Software Update installs a combo updater (including all security updates), and you're good to go after one restart, no matter what version you're running. You're only exposed to the net for as long as it takes to download the package. What's so hard about that? Why this huge fuss over a difficult and long project to cram a huge-update-that-everyone-needs into one "service pack"?

You're not comparing apples to apples

[Ucklak (755284)]

OSX 10.0 to 10.1 to 10.2 to 10.3 isn't XP to XP SP1 to XP SP2.
It's more like Win95a to Win95b to Win95c to Win98 to Win98SE to WinME.

OSX 10.2 is vastly different from OSX 10.0 and same from 10.3 to 10.2. 10.4 to 10.3 again will be vastly different. The differences are greater than XP SP1 to XP SP2 or Win2K sp1 to Win2K sp2, etc...

Win95 is Windows Ver 4.0
Win98 is Windows Ver 4.1
WinME is Windows Ver 4.9
Win2K is Windows 5.0
WinXP is Windows 5.1
Win2K3 is Windows 5.2

Full versions of Home based are $200 with upgrades at $100 (Yes you can get them cheaper but this is the legitimate on the record price)
Full versions of Pro versions are $300 with upgrades are $200

OSX 10.0 (Cheetah)
OSX 10.1 (Puma)
OSX 10.2 (Jaguar)
OSX 10.3 (Panther)
OSX 10.4 (Tiger)

All versions are $129 for a full version.
(They also don't require virus protection @ 50/yr or spyeare protection) ;-)

SP2 Causes Problems with Microsoft's own Products

[Ridgelift (228977)]

Virtual PC - 2004 - Microsoft [microsoft.com]
When you run a Windows XP SP2-based virtual machine, it will perform slowly compared to a Windows XP SP1-based virtual machine."

Interesting that a Microsoft product has problem with their own Service Pack.

The Real Story

[mslinux (570958)]

SP2 will not automatically be installed. It will download automatically, but someone still has to accept the license agreement and manually install the service pack. There is nothing automatic about the install. Please stop spreading FUD about SP2!

AU

[jav1231 (539129)]

What is more interesting is how long it takes to install. SP2 is HUGE! This will put off many. I still recommend it, though not for the firewall features. Personally, if you have broadband you should have a decent cable router with your ports closed. No this won't stop internally invited connections but it will do pretty much what the firewall feature is doing. It's a matter of staying up to date, which is essential in a Windows environment. Like it or not, SP2 should be installed. If you don't like it, seriously consider switching platforms. Yes it's frustrating, but we're in a mess. We have a dominant player on the desktop. Until Linux get's more up to speed on the desktop and/or Mac's gain some share this is what we have.

Let me get this stright

[blanks (108019)]

1)People complain about windows security.

2)Microsoft comes out with sp2 that has a built in firewall.

3)People then complain that the firewall makes it so alot of other firewall/security applications don't work.

4)Then they complain that things like FTP and IIS dont work....

Yes there are many applications that should run on this list, but really people, alot of these applications stop working for very good reasons.

FTP dosent work? configure your firewall. IIS dosent work, configure your firewall! Some of these programs stop working for a reason.

MS is doing the right thing

[ztirffritz (754606)]

I'm not an avid supporter of MS, but I believe that credit should be given when and where it is due. SP2 is a GOOD thing. Yes it breaks some things, but that is the price you pay for past mistakes. MS realized that they had 2 choices: 1) continue supporting a horribly flawed system 2) break the cycle, back up, fix the problems and start again. They made the daring choice to back up and start again. That is impressive for a company with a multibillion dollar product with 90% market share. It still isn't perfect, but I think that they know that. They're hoping that Longhorn will solve many of these problems. Maybe they're right, who knows though. At least they tried to help everyone out by fixing the product, giving people time to adopt and adapt, and are firm enough to stick to a schedule, knowing that the fix will only really help if EVERYONE is upgraded. KUDOS to MS. (Someone better take note of this moment, it may never happen again.)

How to make SP2 not suck

[TetryonX (830121)]

First of all, I have found that all the incompatibility comes from two realms: NX-bit protection and the new Windows Firewall. Both are easy to disable.

NX (off): Edit your boot.ini by removing that /NoExecute=OptIn or /NoExecute line. (Go to System properties, Advanced tab. Startup and Recovery startup Settings button. and hit the edit button in the new window., it will open up your boot.ini file).

Clear, simple, and every application will no longer flip out. + you'll get a boost in performance (I take a 10% performance hit when NX is on my laptop, far more visible in photoshop than any other application).

Windows Firewall: First off, GET A BETTER FIREWALL! Next step, net stop sharedaccess and find it in your services (Start->run: services.msc) Disabled it.

Horrah! Your windows should now perform in it's old SP1 ways. (I have yet to find any application to fail after these features were disabled). Oh yeah if you get annoyed by that Windows Security Center, in it's main window on the left side it has a way to change its notification (to completely off because nagging programs suck).

Re:Wonderful...

[MSFanBoi (695480)]

Yet you will willingly go out and get the latest Linux kernel, or the latest update of MacOS X without hesitation right? Heavy handed? MS has given MONTHS (try almost 6 months) for people to do what needs to be done. If other vendors are to slow or just too damn lazy, STOP USING those vendors. SP2 is needed, simply because there are a lot of stupid people using computers. End of story.

Re:Wonderful...

[His name cannot be s (16831)]

So, if we didn't already have SP2 - we're getting it, like it or not - ready or not. Way to chicken-choke your customers there, Bill.

Only if you have automatic updates on.

This reasoning leads to one of two things:

1. You have auto-updates on, and don't know what the fuck you are doing anyway, in which case it's in the best interests of everyone that you are upgraded and at least become a smaller target to worms/viruses/other ilk. Breaking shitty software that has no reason not to have shipped an upgrade by now is no reason to contunually allow machines of this class to be availible as targets.

2. You do not have auto-updates on, and actually understand the risks/benefits to the system you are on. In this case it still is in your hands as to what gets installed. Problem solved.

In either case (1) The big bad microsoft needs to protect you from your own ignorance, or (2) you have the capability to protect yourself, the needs of the many get met. :p

Re:Have fun with that

[mccalli (323026)]

Glad I've got a Mac

Ah, so you'll be enjoying the recent failures with 10.3.8 instead then? Just as I'm 'enjoying' my dual G5's vastly increased fan activity after installing the update? I particularly appreciate Apple's lack of ability to automatically roll the update back...

I much prefer the OS X environment, but I don't really blame Microsoft for the XP 2 failtures. A big OS patch is a big OS patch, problems can occur on any system and it's extremely likely that patches to various apps will be needed along the way.

Cheers,
Ian

Re:Have fun with that

[b166er_zeroone (814319)]

Glad I am running windows95! oh, wait...

Re:help desk "personnel"

[AndroidCat (229562)]

Maybe it's "help desk personnels" with dating ads? "M tek sks F 4 lvl 2 sprt"

Re:help desk "personnel"

[Jon_E (148226)]

Tech: Hello, help desk ..
User: Hi, I'm having problems with my hard disk .. I'm about 5'4" with dark hair, brown eyes, and a petite slim build .. I like walks on the beach, romantic dinners, poetry, science fiction, and smart geeky guys ..
Tech: hold on, I'll be right there ..

Re:Hrmm

[the unbeliever (201915)]

"Thoroughly tested" on what sort of platforms? No matter how thorough of a beta test you do, you can't possibly hit every combination of hardware and software that will be running your software, so you can't possibly know everything that could possibly happen.

There is no bug-free software, excluding things like "Hello World".

I, personally, have had no problems with SP2 on any machine I have it installed on (three pc's at the house with wildly different hardware, and about 7 pc's in my small office with x

Re:Hrmm

[rebill (87977)]

The simplest program ever was a 0-byte file in IBM's MVS operating system. (That O/S had some utilities that could only be accessed by running a "program" - and to get the utility to run without actually doing anything ... well, the solution was a program that literally did nothing).

The funny thing was, someone wrote a Problem Tracking Report (i.e. "Bug") about this, and had the MVS team change the program - the flaw was that the return code register was being set in the utility, but the 0=byte program was not copying this result code into it's own return register, so the program was returning a "success" evem when a failure had occurred.

We co-ops got a chuckle out of it because of the "bugs per line of code" calculation would have had a div-by-zero problem :).

Re:Hrmm

[Saeed al-Sahaf (665390)]

And we all know that the latest bleeding edge Linux distros are bug free... Right?

Bleeding edge != bug fix.

[khasim (1285)]

You are comparing "bleeding edge Linux distros" to a service pack to fix bugs in existing software.

Now, either the apps that broke were depending upon bugs in the OS (in which case, it is the ISV's fault)
-or-
Microsoft's approach to "patching" is wrong.

And please learn the difference between a bug fix and "bleeding edge".

Re:Why?

[pklong (323451)]

Trouble is the majority of non geeks are idiots when it comes to security. Even some geeks can be lazy. The result is the inevitable "my computer is slow on the Internet" phone call, scumbags making money off dialler scams, spam zombies etc. inflicted on the rest of us.

Its the same principle as when driving. Consider everyone else as an idiot. That way when you come across one you're more likely to survive.

Re:Why?

[WhatAmIDoingHere (742870)]

My point is still valid. I use BitTorrent for.. things.. and it murdered my speeds. Same for speeds in eMule. If the "enhancements" cripple how I use my computer, I don't need them.

Re:Ulterior motives?

[His name cannot be s (16831)]

You know, I'm not sure that this is a plan to force all pirated-key windows users to do anything.

You are very correct that Piracy has made microsoft what it is today--That being said, one can never allow piracy to continue unchecked and rampant. It needs to be chased down everywhere it can be. By making it as difficult as they can, casual pirates will be forced to either a) cough up the dough, or b) move to a platform that copying is not piracy (linux/bsd/etc...)

I think that it is in everyone's best interests to really evaluate their dependance on unlicensed software. The slashdot crowd goes bloody balistic any time any one violates the GPL by shipping a GPL derrived product without access to the source. They however seem to have a soft spot for violations of Microsoft's (et al) copyrights.. Odd bunch.

Back to your point tho' ... while the casual home pirates are not actually activly pirating MS's software, they strengthen MS--by making Windows the defacto standard... The Far-east street vendors of pirated software are not building microsoft's empire, they actually shrink it by removing people who would actually pay for their software from the pool.

Re:Any experience with P2P or GoogleDesktop?

[NetNifty (796376)]

Haven't tried google desktop, but the problem with P2P apps and SP2 is that SP2 sets a limit of 10 pending connection attempts per process, which would indeed mess around with some P2P apps. Fortunatly there is a fix [lvllord.de] (although not an official MS one, so either find one from a more trustworthy source or be careful!) that rectifies this problem. I assume it was done to attempt to slow down spam-bots, and hence no easy-to-change for users/the spambot registry entry.

Re:Last time I installed SP2 on my laptop...

[drinkypoo (153816)]

First: I have an IBM laptop with XPSP2 on it. The problem is drivers, and/or BIOS. Have you updated your BIOS yet?

Second: Epson is the only company worse at writing drivers than ATI. Their scanner drivers require that you be an Administrator on NT machines. I am not making this up, this is the official support response. Even their website says you must be an Admin to "install and use" the scanner software. So you can't blame any of this shit on Microsoft. You have shitty hardware made by shitty manufacturers, and/or you haven't done all the updates.