On Friday, Microsoft finally released its long-awaited Windows XP Service Pack 2 (SP2) upgrade. However, despite its name, XP SP2 is no mere service pack. Thanks to its many pervasive security enhancements, you should treat this release like a major new Windows version, albeit one without any new licensing costs. The real cost of XP SP2 will be felt in the months ahead, as corporations evaluate and deploy this crucial XP upgrade. I say that because Microsoft has taken the unusual step of breaking certain technologies in a bid to make the system more secure. These changes could cause big problems with certain custom-made applications and services, so proceed with caution.
I won't waste space here detailing the many functional changes in XP SP2. Instead, please visit my exhaustive review of XP SP2 on the SuperSite for Windows ( http://www.winsupersite.com/article/reviews/windows-xp-service-pack-2-with-advanced-security-technologies-review.aspx ) with the understanding that my recommendations at that site are aimed at individuals, not businesses. Likewise, I won't belabor the details of Microsoft's staged rollout of XP SP2; you can find that information in my WinInfo Daily UPDATE article announcing the SP2 release ( http://www.winnetmag.com/windowspaulthurrott/article/articleid/43542/windowspaulthurrott_43542.html ). Suffice to say that, depending on your relationship with Microsoft, you should be able to get your hands on this release and the necessary support files by the end of the month at the latest.
This week, I focus on the potential ramifications of XP SP2 in the enterprise and suggest a rational strategy for getting this release to your users as quickly as possible. Barring some cataclysmic incompatibility problem that arises in the days ahead, ultimately you'll want to deploy XP SP2 sooner rather than later. The reason is that XP SP2 is both much more secure and more configurable than its predecessor. That latter bit hasn't been publicized enough, so let me be specific: XP SP2 includes more than 600 new Group Policy Objects (GPOs) for you to fiddle with, almost as many new GPOs as the original XP release included; I'll be examining these GPOs soon. And as you might expect, Microsoft is supplying new versions of some of its deployment tools as well.
Ramifications of XP SP2
Most support calls that XP SP2 generates will be caused by incompatibilities. These incompatibilities will take several forms. Although most commercial software should work fine with XP SP2, those programs that access information online might trigger Windows Firewall warnings, and custom-built applications, intranets, and Web sites that use functionality that Microsoft locked down in XP SP2 might fail without warning. For more information about this locked-down functionality, please refer to the Microsoft Developer Network (MSDN) resources for XP SP2 at http://msdn.microsoft.com/security/productinfo/XPSP2/default.aspx .
End users will find XP somewhat jarring unless their systems are up-to-date with antivirus software and Automatic Updates and they leave Windows Firewall enabled. However, even with Windows Firewall enabled, users will likely run into the occasional authorization dialog box when the firewall detects incoming network traffic aimed at an application that isn't yet in its exceptions list. For people unfamiliar with firewalls, this interruption will likely be somewhat jarring.
From the perspective of the corporate network, XP SP2 probably won't be notably different from current XP installations and might even be responsible for preventing various electronic attacks. However, as I've stressed in past commentaries, XP SP2 does nothing to help after a malicious user has mounted a successful attack; in such a case, an infected PC could still be used to launch zombielike attacks on other PCs. For this reason, you should consider augmenting XP's Windows Firewall with a third-party solution that offers protection for outbound communication in addition to inbound communication.
In short, XP SP2 should be an overwhelmingly positive update for most companies after they get beyond the sheer effort of deploying it. However, compatibility concerns will always be a potential wrench in the wheel, necessitating heavier testing than usual.
Planning an XP SP2 Deployment
If you're planning an integrated or slipstreamed installation of XP SP2, either from a network share or via CD-ROM, the instructions haven't changed. I spent this past weekend experimenting with both methods and found the process to be relatively straightforward. And Setup Manager--the GUI tool you use to create unattended installations of XP through a network share--appears to work identically to earlier versions. For larger deployments, you can use Windows Installer or Remote Installation Services (RIS) to distribute the service pack via a GPO to any Active Directory (AD) container (e.g., organization units--OUs). I haven't tested either of these options yet, but my understanding is that XP SP2 doesn't change either of these methods.
However, Sysprep--the Windows System Preparation tool--has changed. Sysprep, as its name implies, helps you prepare customized Windows installation images for use in automated deployments. With XP SP2, Microsoft is shipping a new version of Sysprep that's compatible with all versions of XP, as well as Windows Server 2003. (A newer Sysprep version will also be supplied with Windows 2003 SP1 next year, I'm told.) If you're going to deploy XP SP2 at all, you must use the version of Sysprep that comes on the XP SP2 CD-ROM. Naturally, you can also deploy XP SP2 through Windows Update or Microsoft Systems Management Server (SMS). Microsoft has published simple instructions for SMS distribution on its Web site. http://support.microsoft.com/default.aspx?kbid=842844&product=windowsxpsp2
How and When to Roll Out XP SP2
Although XP SP2 is technically finished, it's still early in the rollout process, and I'm sure you'll be muddling through its changes and deployment options in the days ahead, as will I. But I stress: You should deploy XP SP2 as quickly as possible (as soon as you've tested the installation to ensure that it doesn't break any mission-critical software or services). If you've been testing this deployment over the summer, please contact me: I'm interested in any experiences you've had with this disruptive Windows update. In the meantime, get busy. We all have a lot of work to do.
Links to Related Resources
Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install http://www.microsoft.com/downloads/details.aspx?familyid=15491f07-99f7-4a2d-983d-81c2137ff464&displaylang=en
Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install http://www.microsoft.com/downloads/details.aspx?familyid=535d248d-5e10-49b5-b80c-0a0205368124&displaylang=en
Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers http://www.microsoft.com/downloads/details.aspx?familyid=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en
Windows XP Service Pack 2 Support Tools http://www.microsoft.com/downloads/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
Windows XP Service Pack 2 Deployment Tools http://www.microsoft.com/downloads/details.aspx?familyid=3e90dc91-ac56-4665-949b-beda3080e0f6&displaylang=enwindows
Windows XP Service Pack 2 SMS Files http://www.microsoft.com/downloads/details.aspx?familyid=938f3fec-9e63-40c2-83a6-fc97a239ddd5&displaylang=en
Windows XP Service Pack 2 Checked Build Network Installation Package http://www.microsoft.com/downloads/details.aspx?familyid=7a4d8d12-9f5d-42bb-b31c-7b31657c869c&displaylang=en