On July 30, Microsoft released Windows 2000 Service Pack 3 (SP3). Users should consider loading the new service pack for a variety of reasons, including the fact that the new service pack contains all the fixes presented in the Win2K Security Rollup Package 1 (SRP1). In addition, when you install SP3 over a previously installed SP1, your systems will support 128-bit encryption. Also note that according to the README file on Microsoft's Web site, "beginning with Service Pack 2, 128-bit encryption is supported as the default, so if you previously installed Service Pack 2 (SP2), your computer has already been upgraded to this level of encryption. Furthermore, if you revert to SP1 or earlier, your computer will retain 128-bit encryption ...." Note, however, that after you install SP3, the Windows 2000 Protected Store is not upgraded to 128-bit encryption. Microsoft has released a patch and tool to upgrade the Protected Store. You can obtain these from Microsoft Security Bulletin MS00-032 (Patch and Tool Available for "Protected Store Key Length" Vulnerability). The FAQ for this security bulletin provides more information about Protected Store, the patch, and the tool.
Microsoft also said that "SP3 includes Automatic Updates, which notifies you when critical Windows 2000 fixes are available. Automatic Updates is a proactive pull service that automatically downloads and installs Windows updates, such as critical operating system fixes and Windows security patches." SP3 also includes all fixes contained in Internet Explorer (IE) 5.01 with SP2 and also contains functionality fixes for IE and Outlook Express 5.01. Win2K SP3 is available for download from Microsoft's Web site or available on CD-ROM. The CD-ROM costs $14.95 plus $5 for shipping and handling.