I am always surprised to see stories about people lined up at computer stores at midnight to be among the first to get the latest Microsoft release. I think that's a big mistake -- all software needs the kinks worked out. I want other people to beta test the software for me. Those who rush to deploy a service pack such as this may be biting off more than they can chew.
With XP SP2, this is even truer for enterprises that are generally secure. SP2 has been touted as a major improvement in Windows security, and it definitely is. There are fundamental improvements in the software as well as new software algorithms to prevent currently unknown vulnerabilities from being exploited when they are discovered. Probably most important aspect for the typical computer user is that security features, such as the Internet Connection Firewall (ICF), are turned on by default.
In most situations, this would be a good thing. However, security features that are suddenly turned on by default can create many problems. For example, one of my home computers stopped sharing its printer to the network. It took an hour to figure out that it was caused by the ICF.
Most computer and security savvy users have likely configured their systems to be generally secure. They likely use a personal firewall, antivirus software and other utilities loaded on their systems. For these people, having the ICF and other Windows security utilities turned on will create problems.
At this point, there is no critical reason to update to SP2. I recommend that people and companies wait a couple weeks and watch the dust settle. Let other people discover the compatibility problems, and the vendors create fixes for those problems. Hopefully someone will summarize the known compatibility issues within a short period of time and take the guesswork out of the update process.
Don't get me wrong. I applaud Microsoft for all the security improvements that it's making and turning on security by default. However I assume that people who are smart enough to find this article are secure enough to wait a few weeks. I really don't think that anyone will put "One of the First 100,000 People to Implement SP2" on their tombstone. If they do, they didn't have a life to begin with.
About the author
IRA WINKLER, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.
This was first published in August 2004