• PC World
• »Software
• »Operating Systems

Since Microsoft began the staged rollout of Windows XP Service Pack 2 (SP2) late last week only minor compatibility issues have come up, but that might be because many users are waiting to install the update.

Microsoft has issued warnings that its customer relationship management (CRM) product and Baseline Security Analyzer tool need updates before they can work with SP2. Also, Symantec is updating its products to work with the new Windows Security Center, which shows the status of security products installed on a user's system.

The limited fallout to date could be because many users are holding off on applying the update, despite Microsoft labeling it "critical" and urging all users to install it as soon as possible. Earlier this week Microsoft released a network installation package for IT professionals to update multiple computers on a network.

Also, many users haven't got the service pack yet. Microsoft expects to start pushing out SP2 via the Automatic Updates feature in Windows and make it available to users of its Software Update Services deployment tool. The service pack should be available on Microsoft's Windows Update Web site for self-installation later in August. Retail distribution, free CDs from the company and inclusion on new PCs will follow.

Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security, and browsing security. Microsoft has made a trade-off, focusing on security at the expense of compatibility. As a result, SP2 can break some existing applications and make some features on Web page inaccessible, through changes in Internet Explorer.

Companies Wary

Companies are testing SP2 for compatibility issues, both for the desktop and the Web. SP2 is more than the usual compilation of bug fixes and updates.

"We're going to sit back at least a couple of weeks, possibly a couple of months before broadly rolling out SP2," says John Studdard, chief information officer at Lydian Trust in Palm Beach, Florida. "We have to get our arms around all the things that are in there. Until you get it, you don't know what it is going to do to your environment."

Studdard is mainly concerned about Lydian's online services, particularly its banking Web site, he says. The site uses pop-ups to display features such as a mortgage calculator. SP2 includes a pop-up blocker. When it comes to its XP desktops, Lydian is treating SP2 as a new Windows release. Experienced users will test the service pack for a month and other XP systems will be updated if there are no issues, Studdard says.

IBM already found that some of its business-critical applications conflict with SP2, and told its employees not to download SP2 because of the compatibility issues. The company plans to deploy a custom version of SP2 once the issues are addressed.

Compatibility issues are also a concern at LandAmerica Financial Group, says Ken Meszaros, assistant vice president and infrastructure manager at the real estate transaction services provider in Richmond, Virginia. Meszaros fears Microsoft may have gone overboard with the security features in SP2.

"Applications run the business. Security, although extremely important, cannot disable the organization," he says. "I am glad Microsoft took the time to provide methods for controlling the behavior of the security features in SP2. The implementation must provide the necessary flexibility to continue daily operations, while improving overall security. Only in testing over the next few months will we determine if Microsofta??s efforts were good enough."

Controlling the Update

Microsoft has recommended that customers thoroughly test SP2 before deploying it.

Users who rely on Windows' Automatic Updates feature for patches, but don't want SP2 to be downloaded automatically, can block the download by setting a registry key that will instruct the system to skip service pack, but still download other critical updates. A tool to set this key is available on Microsoft's Web site.

Pundits have praised Microsoft's security efforts with SP2, but while users are testing the service pack, hackers and security professionals are picking it apart, looking for vulnerabilities.

"We will see new vulnerabilities discovered in SP2 over the next few weeks. Give it a month or two and we will also see worms that affect SP2," says Thor Larholm, senior security researcher at PivX Solutions in Newport Beach, California.