Microsoft Quietly Releases Windows 2003 SP2

Several readers noted that Microsoft has quietly released 32-bit Windows 2003 Service Pack 2 for download. (The 64-bit edition is still showing as a release candidate on the site.) The installation of SP2 may potentially regress hotfixes that have been deployed previously; Microsoft has released a script to scan for hotfixes that may potentially regress.

Where is XP sp3?

[Joe+The+Dragon]

even just a update roll up would be nice. When you install a new xp sp2 system there is a lot of updates that you need to.

Re:Where is XP sp3?

[Izago909]

There are two good options. They don't have every last update for the various flavors of XP (home, pro, and media center) but they have the majority of them.

Autopatcher and Offline Updater

Both have options for 2000, XP, and 2003 Server

Re:Where is XP sp3?

[Professor_UNIX]

When you install a new xp sp2 system there is a lot of updates that you need to.

You should start with a fresh install of Vista first, there are a lot less patches available right now so it will go quicker. :-)

Re:Where is XP sp3?

[el+americano]

I'm still waiting for SP5 for Windows 2000. I think I'm going to be waiting a long time.

XP x64 as well

I fired up Windows Update on my XP Pro x64 rig today and it had a 350MB patch for me.

Didn't seem to change much, if anything.

WPA2 Support

[solevita]

At long last! Finally we can un-wire all those unsightly server rooms and start providing data in the same style that we consume it. I for one welcome our new servers-in-beds overlords.

Re:This is one of the reasons I prefer Debian.

[suv4x4]

Very good point. Why does MS prefer big honkin' files over a more granular approach anyway?

Microsoft doesn't prefer it: their corporate customers do, as they have to perform lengthy and expensive tests to confirm all of their mission critical apps work with the SP (imagine doing it after every patch).

Also the GP said that in Linux updates just mean the app is "updated" and there aren't any backwards incompatibilities... Hehe, I'd love to be that naive myself. Just consider however, we don't all run amateur home servers for our php blogs.

Re:It's not funny

STFU Malda

Where's my XP SP2b?

[DigiShaman]

Seriously, I NEED an XP SP2b package (all updates up to IE7).

I'm not making a comment. I'm asking a serious question here! XP SP2b OEM disks are already being sold in stores.

Re:Where's my XP SP2b?

[ni5mo]

Try the RyanWM Integrator.

He has an update pack to 2007/02/16.

Quietly?

[AlHunt]

> Microsoft Quietly Releases Windows 2003 SP2

Quietly releases?

Posting it here certainly made it a lot noisier.

Re:This is one of the reasons I prefer Debian.

[mobby_6kl]

Most of the updates in SP2 have been already released as separate patches by now. If the system was kept up to date, this SP will only download/install only the few things that are missing and you don't have to go back and re-install anything.

Basically, an SP is mainly a a convenient way of getting an outdated system fully patched-up.

What made this release so "quiet"?

[kestasjk]

Some of you are asking what made this release so "quiet".

What happened is in the black of night Ballmer, dressed in his ninja outfit, shimmied along the walls of the MS datacenter with a CD with this service pack on. He used his glass-cutters to silently sneak through a window, and snuck up into the vent before guards could see. Using a series of mirrors to deflect the trip-lasers he then lowered himself down from a vent grate, and uploaded the Windows 2003 service pack onto the server.

Why was it released so quietly? Who knows, but I'm sure there's something evil at work here. Thanks to the submitter for pointing out that this release was suspiciously quiet.

Re:What made this release so "quiet"?

[Speed+Pour]

To answer that question is simple, it's a server platform. If they did an SP update for XP or Vista (gawd knows they should hurry given all the problems), it would show up on ever web page they have. Since win2k3 was never meant to go to an average consumer, it's just not worth advertising through most mediums.

If that isn't a good enough answer, just look at the list of what's new...There's nothing of significant value, and all of the security/bug fixes are already addressed with regular critical updates. Who cares about this update? It's a 'value improvement' update at the very most.

Now for my question...why was this made into a slashdot article? Judging by the number of comments so far, it's clearly not of much interest to anybody...and anybody who's running the os will receive a notification in the next few days anyway.

Re:What made this release so "quiet"?

[professorfalcon]

That's not how I heard it.

What happened is that with the sun high in the sky and the wind at his back, Balmer, dressed in his pirate outfit, sailed his mighty ship through the walls of the MS datacenter with a CD with this service pack on it. He ordered parallel volleys across the bows of the blade servers from both the starboard and port sides of his mighty vessel. And of course, he made the guards walk the plank. After destroying the lasers and the grate with his hook arm, he uploaded the Windows 2003 service pack onto the server.

Re:What made this release so "quiet"?

[StressedEd]

..it's just not worth advertising through most mediums.

Perhaps that is why so few people were aware of the update, they don't posess psychic powers.

Re:This is one of the reasons I prefer Debian.

[kestasjk]

I don't like mindless pro-Linux droning either, but personally I prefer to deal with small updates every day, which are very unlikely to affect anything, than a traumatic experience every month which is rather likely to affect something, where you'll have no idea which of the bundled hotfixes are doing the damage.

Also you have to balance out the bonus of having the bug/security hole fixed immediately; shouldn't it be done right away to avoid worse problems?

Re:This is one of the reasons I prefer Debian.

[Threni]

> No it won't. The full 350Mb appears on Windows Update even if you're fully patched up.

That's not what happens with XP, so I'm guessing that if what you say is true then it's a mistake and not a stupid idea on Microsoft's part.

ninja Ballmer

[game+kid]

He shall be remembered forever as the first ninja in history to squirt shurikens and throw chairs at targets.

Re:ninja Ballmer

[Nimey]

Squirt shurikens from /where/?

Re:I guess, we can make an apt comparison with...

[The+Clockwork+Troll]

What I find interesting is that they improved upon the operating system with only 32 bits of code.

I guess that means that the entirety of the release is a HALT instruction?

I'm here all week.

Re:This is one of the reasons I prefer Debian.

[CastrTroy]

But those tests are only so lengthy and expensive because just about anything can change. If you know that there's a change in Samba, you only have to test the things that depend on Samba, you don't have to retest everything in the system. The fact that you have to test so many things when you upgrade is just a microsoft thing. There isn't a lot of things that break if your patch consists of actually just fixing a single, or small number of bugs.

Re:I guess, we can make an apt comparison with...

[gregleimbeck]

My god, how often do you run updates? When I tried to update one of my test boxes running RC2 it detected that SP2 was already installed. I had to uninstall the RC version for it to detect that the "official" release was needed.

Now, where's XP Service Pack 3??

[ErichTheRed]

Good to see Microsoft is still releasing service packs for Server 2003. However, I really want to see SP3 for XP. Building an XP box, even from SP2 media, requires over 75 patches in our environment! It takes nearly 50 minutes of cranking every time we have to build a new master disk image. Not all of us upgrade instantly.

It's nice that Microsoft makes the patches available separately. For those who don't do it, you wouldn't believe how much work it is testing patches and narrowing down which one broke an application. However, I think they should have one monster rollup available at least every few months. Most of that 50 minutes is spent dependency-resolving, isolating and backing up the files that each patch replaces. Doing that once is better than 75 times.

One thing I don't like about MS is that they tend to abandon customers who can't or won't upgrade to the next version of a product. I'd love to be on IE7, but we're stuck on 6 until several dependencies get fixed. I'm not too wild about Vista, but know that we have to go that way in the next year or so just to ensure we get the latest security fixes. Microsoft guarantees they'll backport fixes for a while, but you can bet they're doing all the active research on Vista. I can't agree with people who say they should still support NT, but most of the enterprise-class vendors have a much more lenient upgrade policy. (OpenVMS is at least kind of supported 3 versions back, IIRC.)

Re:Now, where's XP Service Pack 3??

It takes nearly 50 minutes of cranking every time

they let you do that at work? in front of each computer?

Re:This is one of the reasons I prefer Debian.

[suv4x4]

But those tests are only so lengthy and expensive because just about anything can change. If you know that there's a change in Samba, you only have to test the things that depend on Samba, you don't have to retest everything in the system. The fact that you have to test so many things when you upgrade is just a microsoft thing. There isn't a lot of things that break if your patch consists of actually just fixing a single, or small number of bugs.

What you're talking about is simply the wrong perception of a guy who never dealt with the issue at hand.

Tell me: how can it be less testing to test individually all components that could be affected by a patch, versus testing for all components that could be affected by a list of patches. Especially if several patches affect the same exact components.

A SP isn't a black box. You get a list of the small fixes that are contained inside, so you again know what is being changed.

Also, testing just what could obviously break is a terrible way to test. A read a story about someone, who after upgrading to Linux kernel 2.6 started having random lockups in PHP/Apache.

What changed? After long and extensive testing, it turned out that sessions use /dev/rand/ which is fed entropy from HDD, mouse, keyboard and network activity. In 2.6 network activity was no longer used (security issue), and the server hand no mouse, keyboard, and all files were on a NFS share. So /dev/rand/ was "running out of entropy" and blocking.

How would YOU guess that your 2.4 -> 2.6 kernel upgrade would cause PHP sessions to lock up under heavy load, when you look at the list of changes?? Answer: you wouldn't.

You'd deploy this on the live servers and experience mysterious downtimes all the time. And THIS is why enterprises test throughly all critical apps, even for the smallest patches.

I came, I saw, I... WTF?????

[qzulla]

15 hr 7 min on dial up

Crap! I run my server on dial up. Guess this is going to be a long night.

Thanks a LOT, /.

qz

Re:This is one of the reasons I prefer Debian.

[gregleimbeck]

This is not so much of an issue for me now, but in the past I have had to spend days going through change management to install anything on a server, be it a hotfix, service pack, whatever. I, for one, welcome our big honkin' file overlords.

Re:This is one of the reasons I prefer Debian.

[fastgood]

-

Another point to big service packs is that once SP(n) is released, marketing can admit SP(n-1)
is really quite insecure on WIN(r-3) and how WIN(r) is now strongly recommended for your shop

Re:This is one of the reasons I prefer Debian.

[Lloyd_Bryant]

Also, testing just what could obviously break is a terrible way to test. A read a story about someone, who after upgrading to Linux kernel 2.6 started having random lockups in PHP/Apache. Apples and Oranges. A change to the kernel potentially affects EVERYTHING on the system. Anyone doing a kernel upgrade *should* be retesting everything on the system.

The issue with MS products is their downright incestuous relationship with each other. An update to IE can potentially affect Word. A patch for a security bug in IIS can cause SQL server to go wacky. The reason that business prefers Service Packs to patches is because they've learned the hard way that if you change ANYTHING on a Windows box, you have to recertify EVERYTHING.

Re:This is one of the reasons I prefer Debian.

[suv4x4]

Apples and Oranges. A change to the kernel potentially affects EVERYTHING on the system. Anyone doing a kernel upgrade *should* be retesting everything on the system.

Windows doesn't have a monolithic kernel like Linux. Are you going to flame now all OS with hybrid kernels and microkernels?

You wouldn't be right anyway, since there are tons of library dependencies in Linux apps where updating a component could cause a chain reaction affecting all libs that use it, the libs that use the libs, and some app that uses the latter libs, you never suspected.

Re:Old News?

[electrosoccertux]

Just got off the phone with Digg and they want your middle-school ass back.

Large patches are needed for some companies

[mlts]

A number of companies have applications which are only supported by the vendor at selected patchlevels, with no other software allowed. Microsoft releasing large collection of patches as service packs makes the job of vetting various hardware and software configurations easier. Its easier for a vendor to state that their application runs on Windows 2003 SP2, rather than Windows 2003, with a large amount of patch numbers needed.

Plus, (IMHO of course), it was time for a service pack for Windows 2003 anyway.

Re:This is one of the reasons I prefer Debian.

[suckmysav]

More to the point, if I see an update come through on Ubuntu that is for "gnome-desktop-calendar" then I can be pretty sure that even if it is borked, it won't bork my entire system, and even if it does, I will know where to look in order to fix it.

On the flip side, if I apply W2K_SP2.exe to my server and something breaks I have a much more difficult time identifying the problem and often the best short term course of action is to roll back the entire service pack.

And that's +5 Informative?

[khasim]

How would YOU guess that your 2.4 -> 2.6 kernel upgrade would cause PHP sessions to lock up under heavy load, when you look at the list of changes?? Answer: you wouldn't.

Actually, I can think of a dozen different ways it would.

You're talking about going from one MAJOR kernel version to a different MAJOR kernel version.

You'd deploy this on the live servers and experience mysterious downtimes all the time.

Why would you deploy a MAJOR change on production servers without massive testing?

A "service pack" would be more like lib-foo_2.1.2 going to lib-foo_2.1.3.

Which is different than going to lib-foo_2.2.0.

Which is far different from going to lib-foo_3.0.0.

Which is far different from going to kernel 2.6.x from kernel 2.4.x.

Re:This is one of the reasons I prefer Debian.

[utnapistim]

I don't like mindless pro-Linux droning either, but personally I prefer to deal with small updates every day, which are very unlikely to affect anything, than a traumatic experience every month which is rather likely to affect something, where you'll have no idea which of the bundled hotfixes are doing the damage.

Ummm ... yes, but that is you, not a corporate customer.

A few years back I was working for a company developing a large financial platform, and they were testing a few months before getting to the next service pack (then, the sys-admin installed it on all computers). This was being done on separate machines, and a full battery of tests had to be run, before approving the upgrade company-wide.

You simply cannot afford that, when you have a lot of small upgrades, spread over the same period. Also, when considering the same updates but distributed differently (small updates vs. service-pack) their likeliness of affecting something is exactly the same.

Re:This is one of the reasons I prefer Debian.

[turbidostato]

"You wouldn't be right anyway, since there are tons of library dependencies in Linux apps where updating a component could cause a chain reaction affecting all libs that use it, the libs that use the libs, and some app that uses the latter libs, you never suspected."

Yes.

Still, I have yet to have *any* problem on a security update on Debian "stable" on about six years. How's that possible?

I'll tell you: Microsoft updates are not *security* updates; they overly change the way Windows behaves so it's no wonder something breaks because of it. If they were as concious as Debian people are about fixing *only* security holes and doing it by introducing the less possible changes and no behaviour change at all, you could bet Windows patches wouldn't be such a nightmare.

Please understand that has nothing to do with being Windows or Linux but about how serious they are about how upgrades have to be done: Debian is rock solid; Red Hat a bit of a concern; Gentoo almost doesn't pay attention to it; Microsoft is about as good as Gentoo.

List of regressed hotfixes

[DanMc]

I analyzed the script and extracted the list of possible hotfix regressions. None of them appear to be standard hotfixes. None are installed as part of a WindowsUpdate or SP1. If you have these on your system, you probably installed them after searching the KB to solve a specific problem. Many of the updates do not have public KB articles or descriptions, so you'd have to have gotten the patch after being sent the patch from MSPSS. Here are the public hotfixes that are regressed:

http://support.microsoft.com/kb/898073 = [IE6 crashes on] digest proxy authentication [to https sites] http://support.microsoft.com/kb/918005 = Battery power may drain more quickly [after unplugging or undocking] http://support.microsoft.com/kb/918837 = power management is turned off [after disabling WakeOnWirelessLAN] http://support.microsoft.com/kb/924078 = [error opening] Properties [...] for a network printer on [WinXP] http://support.microsoft.com/kb/924301 = AutoComplete feature [broken after following javascript link in IE6] http://support.microsoft.com/kb/925020 = [Lockup when using] USB device on a multiprocessor computer http://support.microsoft.com/kb/925240 = warning message [...] new password that does not meet the requirements http://support.microsoft.com/kb/925513 = Error code Winsock [...] "WSAECONNABORTED (10053)" http://support.microsoft.com/kb/926047 = [Misplaced] AutoComplete box [...] in Internet Explorer 6 http://support.microsoft.com/kb/926132 = ...WMI does not clear event registrations when the corresponding sink... http://support.microsoft.com/kb/926754 = STOP: 0x000000D1 (parameter1 , 0x00000002, 0x00000000, 0xf27b4e8e) http://support.microsoft.com/kb/926940 = SQL Server 2000 Service Pack 4 stops responding http://support.microsoft.com/kb/927291 = Dfsutil /import" command takes a long time to finish http://support.microsoft.com/kb/927493 = Winsock programs may exhaust the system's non-paged pool http://support.microsoft.com/kb/929620 = increased paging to the hard disk when you run an SAP R/3

These fixes are regressed, but they're not published on the public Knowledge Base:

"919757" "925290" "926305" "926513" "926583" "927197" "927436" "927893" "928194" "929066" "929759" "930620" "933452"