First SP2 fall-out hits users

The first compatibility issues thrown up by Service Pack 2 have not been too scary, but with most users still to install the...

The first compatibility issues thrown up by Service Pack 2 have not been too scary, but with most users still to install the Windows XP update, far worse could be on the way.

Microsoft has had to issue warnings that its customer relationship management product and Baseline Security Analyzer tool need updates to work with SP2. And Symantec is working on an update to make its products work with the new Windows Security Center, which shows the status of security products installed on a system.

The limited fall-out to date could be because many users have held off on installing SP2, despite Microsoft urging all users to install this "critical" update as soon as possible, and because many users haven't got SP2 yet.

Microsoft plans to start pushing out SP2 via the Automatic Updates feature in Windows and make it available to users of its Software Update Services deployment tool. SP2 should be available on Microsoft's Windows Update website for self-installation later this month. Retail distribution, free CDs and installation on new PCs will follow.

Companies are testing SP2 for desktop and web compatibility issues. The testing is important because SP2 is more than the usual compilation of bug fixes and updates.

Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security and browsing security.

Microsoft has focused on security at the expense of compatibility. As a result, SP2 can break some existing applications and make some features on web pages inaccessible.

"We're going to sit back at least a couple of weeks, possibly a couple of months before broadly rolling out SP2," said John Studdard, chief information officer at US company Lydian Trust. "We have to get our arms around all the things that are in there. Until you get it, you don't know what it is going to do to your environment."

Studdard is concerned about online services, particularly Lydian's banking website, which uses pop-ups to display features such as a mortgage calculator - SP2 includes a pop-up blocker.

When it comes to its XP desktops, Studdard is treating SP2 as a new Windows release. Experienced users will test SP2 for a month and other XP systems will be updated if there are no issues.

IBM has already discovered conflicts between its business-critical applications and SP2. The company instructed staff not to download SP2 and plans to deploy a custom version once the issues have been addressed.

Ken Meszaros of LandAmerica Financial Group fears Microsoft may have gone overboard with the security features in SP2.

"Applications run this business," he said. "Security, although extremely important, cannot disable the organisation. I am glad Microsoft took the time to provide methods for controlling the behaviour of the security features in SP2. Only in testing over the next few months will we determine if Microsoft’s efforts were good enough."

Microsoft has advised customers to test SP2 thoroughly before deploying it. Users who rely on Windows' Automatic Updates for patches but don't want SP2 to be downloaded automatically can set a registry key to skip SP2 but still download other critical updates. A tool to set the key is available on Microsoft's website.

Pundits have praised Microsoft's security drive with SP2, but while users are testing it, hackers and security professionals are picking it apart, looking for vulnerabilities.

"We will see new vulnerabilities discovered in SP2 over the next few weeks," said PivX Solutions security researcher Thor Larholm. "Give it a month or two and we will also see worms that affect SP2."

Joris Evers writes for IDG News Service

Read more on PC hardware