Last week, I spoke with Microsoft about Windows XP Service Pack 2 (SP2) deployment concerns. The good news is that all the information and tools you need to roll out XP SP2 in your environment are now available from the Microsoft Web site (see the links below). The bad and somewhat surprising news is that this information was never made available publicly before, even in beta form. Shame on Microsoft for not making this information available previously.
Shame, I say, because XP SP2 has almost as many new Group Policy Objects (GPOs) as a full-fledged Windows release (609 new GPOs, according to the software giant; the original XP release, by comparison, had about 800 GPOs). And until this week, none of the GPOs were fully documented in a detailed whitepaper. However, Group Product Manager Barry Goffe told me last week that the reported number of GPOs is somewhat inflated. "The bulk of those are in \[Microsoft\] Internet Explorer, about 50 per zone \[or about 250 overall\]," he said, "So it's a little less daunting than it seems at first."
Also, although the whitepaper describing XP SP2 features that you can modify via Group Policy only recently became available, Microsoft did ship an Administrative Template Format (.adm) file during the release candidate (RC) phase of SP2 that was somewhat useful; a Microsoft Excel spreadsheet describing these features in the final release is available as well (see the links below). It will be a while before I can thoroughly study these features and practice modified SP2 rollouts, but I'll report my findings as soon as I can.
In the meantime, you might be interested in some insider details about XP SP2. Goffe told me that Microsoft has been working closely with its OEM partners and corporate customers to best schedule its SP2 rollout. Because XP SP2 changes so many things, Microsoft created documentation called "The Book of Springboard," which the company eventually published to the Web as "Changes to Functionality in Microsoft Windows XP Service Pack 2" (see the link below) and updates regularly. The current version is more than 200 pages long.
One reason why Microsoft has had to update the documentation so often is that XP SP2 has changed, over time, in somewhat subtle ways. For example, the no execute (NX) feature, which helps prevent certain buffer-overrun errors, was triggering errors on poorly written applications. "It turns out that there are a lot of poorly written apps out there," Goffe told me (sorry, he refused to name names). "Many of these have bad pointer handling. When you run them on strict hardware, \[the applications crash\]. Our initial approach in SP2 was to leave NX on across the OS, which we implemented in RC1, and you could use an exception list for opting apps out of NX. This functionality was triggered when an app crashed because of NX. But it turns out that a large chunk of apps that people wanted to use were crashing. So we decided to turn off NX for user-mode apps but leave it turned on for system components. So all the Microsoft bits are protected \[by NX\], which we think is a great thing. But by default it's off for user-mode apps." Goffe also noted that users could optionally cause applications to run with NX enabled, on an application-by-application basis.
Also, developers compiled XP SP2 with the new /gs compiler flag, which might seem uninteresting to nonprogrammers but directly affects everyone who uses the new system because it adds a runtime monitoring layer for real-time memory scanning. Typically, such an activity would add overhead and slow performance, but Goffe told me that the Windows team was particularly excited by how little this much-needed feature affects performance. The results were so positive, in fact, that Microsoft will recompile Windows Server 2003 SP1 with the /gs compiler flag enabled as well. "On the server side, the /gs flag is huge," he said. "So it will be on in Windows 2003 SP1 next year. In testing, the impact to \[Microsoft\] IIS is almost zero. That's huge for a highly tuned app like that, especially when you consider the benefit we get from that."
So far, corporate downloads of the service pack have proceeded exceptionally fast, with few support calls; however, the night is still young. Goffe noted that the 272MB full network installation version of SP2 had been downloaded more than 1 million times in 3 days, and Microsoft had, as of last Thursday, pushed approximately 200TB of data out to customers. "Everyone is super excited about it," he said. "Customers are saying that this is the tipping point to get them to XP. Security is their number one issue by an order of magnitude. We're really trying to do the right thing by our customers and the needs they're expressing to us."
Also, users waiting for the final version of XP SP2 for 64-bit systems will have to wait until the end of the year. Microsoft will release versions for both the Itanium and 64-bit Extended Systems versions of XP.
Finally, conspiracy theorists take note: Microsoft has changed the End User License Agreement (EULA) in SP2. But this time, the effect is overwhelmingly positive. Previously, service pack EULAs prevented administrators from distributing or copying the CD-ROM-based version of those releases. That limitation is gone with SP2: Microsoft wants this update to be disseminated as quickly as possible to as many XP-based machines as possible. A EULA change that won't trigger an outcry from Mark Minasi? I think we can all say "Amen" to that.