Security Blog Log: Vista SP1; To be or not to be?

This week in Security Blog Log: The owner of The blog sparks controversy by posting what he claims are 100 fixes slated for Windows Vista Service Pack 1 (SP1).

To be or not to be?

That's the question bloggers are asking after Microsoft took the owner of The blog to task for posting what he claims are 100 fixes slated for Windows Vista Service Pack 1 (SP1).

Specifically, the question is whether Microsoft will actually release a Vista service pack in the near future. Windows users have come to expect such releases following upgrades to the operating system, and many IT administrators usually won't install a major Windows upgrade without one. Their philosophy is that it's best to wait for a service pack because by then many of the kinks early adopters run into have been ironed out. owner Ethan Allen has received a lot of media attention for posting the so-called Vista SP1 preview. Allen, a software quality assurance manager based in Bellevue, Wash., has been saying in published reports that he got his hands on the fixes from someone close to Microsoft with access to the technology.

Microsoft does plan a Vista service pack and conventional wisdom is that it'll be out in the second half of 2007, when the next release of Windows Server -- code-named Longhorn -- is due out. But the company hasn't set a firm date on the release. Allen's preview page has sparked speculation that a service pack release may be sooner rather than later.

Microsoft is not happy, if this posting on the official Vista blog is any indication:

"A blogger … posted a collection of individual Windows Vista hotfixes as a supposed Windows Vista Service Pack 1 (SP1) preview," Vista product manager Nick White wrote. "However, those of you who've been closely following discussions on Windows Vista will quickly notice that what is posted consists of some material already available on Windows Update and some hotfixes that we give out on a case-by-case basis, along with a lot of speculation about what may and may not be included in SP1."

White said it looked as though Allen compiled a list of previous mentions of SP1 -- purely conjectural and already discussed in other blogs, he said -- and stitched it together with another list of hotfixes mentioned in various Microsoft Knowledge Base articles.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:
Will data breach be the end of TJX?

Symantec threat report under the microscope

Spam crackdown: Bloggers take on the SEC 

"You probably already know that we create and release hotfixes on a regular basis for very specific customer scenarios or for OEM-shipped machines, and that it's standard policy that all hotfixes are rolled into the next service pack release," he wrote. "However, a service pack is not just a compilation of hotfixes and security updates, so don't make the mistake of thinking that the set of fixes offered in this particular blogger's list represents a preview of the service pack itself."

Robert McLaws, an Arizona-based software consultant and self-described online pundit, wrote in his popular Windows Now blog that Microsoft is trying to keep quiet about Vista SP1 because the company doesn't want it to "unnecessarily" hinder the adoption of Vista.

"I say unnecessarily because the mentality still exists that Microsoft products aren't worth upgrading until the service pack comes out," he wrote.

But in McLaws' opinion, users shouldn't feel like they have to wait for a service pack. "Vista is without question the most consumer-focused release Microsoft has ever done, mostly because more testers gave Microsoft feedback than in any previous release," he wrote.

Nevertheless, he believes Vista SP1 will be ready this year because Windows Vista and Windows Server 2007 share the same code base, which means both operating systems use many of the same binaries.

"While Windows Vista has gone through more reliability testing than any previous consumer OS, Windows Server 2007 will have an extra 6-10 months of testing. So Microsoft gets a two-fold benefit for the extra WS2007 testing this year," he said. "The end result is that Windows Vista SP1 will have the same stability, security, and reliability as a server OS. This cannot be understated: Microsoft has never had server reliability on the desktop before."

Though this may become the first time in Microsoft's history that the first service pack is released the same calendar year as the first release, he wrote that people shouldn't take it to mean that Vista is more buggy or less stable than it should be.

"It just means that the Vista will get to reap the benefits of the additional server testing that is going on as we speak," he said.

Ron Schenone, a Microsoft MVP who keeps a blog called The Blade, was among those speculating that a Vista service pack may never see the light of day.

He wrote that the smart money has been on waiting until Microsoft released a service pack or two before adopting the newest operating system, since that's what happened with Windows 2000 and XP.

"Well that might not be the case with this release," he wrote. "[It] seems that Microsoft is very satisfied with Vista thus far and that they may choose to provide fixes as needed via Windows update."

The thinking is two-fold. He said smaller doses of updates would not be so disruptive as was the case with Windows XP SP1, when many PC owners found themselves with slow running systems. Also, providing bandwidth for millions of downloads for service packs is costly to Microsoft and it may not be necessary to spend the money in this case.

"But who knows," he said, "Microsoft could change their minds and still provide service packs in the future."

Joseph Fieber, founder of the ITsVISTA blog, is betting that Vista SP1 will come out, and that Microsoft will schedule the release for the holiday shopping season.

"There will be a service pack, it will contain all available fixes, and I predict it will be made available on Nov. 30 of 2007," he wrote. "Having it out before Thanksgiving would help with early holiday season spending."

Read more on Operating systems software