Security Watch

Windows XP SP2 Strategies

To install or not to install SP2 is all up to you.

Service Pack 2 for Windows XP is here. Should you immediately download and install it? What if you don't want XP SP2 but still want to continue to receive critical updates through Automated Updates? The answers aren't easy; here's some guidance.

If you haven't tested a beta version, don't know if all the software you use is compatible, and don't like surprises, visit the XP SP2 support center at or (the former is for all users, the latter for IT pros). I've been following the reports of beta testers and dabbling myself, and believe that, for most people, XP SP2 won't present problems. However, SP2 is, in many ways, a new XP, and there's no way to test every possible combination of hardware and software on which it might be installed. Practice due diligence and evaluate your specific XP deployment before installing XP SP2. (Editor's note: Most of the Microsoft URLs referenced in this story are very long; the "snipurl" versions don't break, and will not expire).

If you can't immediately start deploying XP SP2, there are several pre-installation steps you should consider.

1. Understand the benefits of installing the service pack:

  • Malware attachment warnings
  • Malware download warnings
  • Pop-up blocker
  • Firewall turned on by default
  • Windows Security Center GUI that lets end users see and manage security settings (this can be blocked in a managed environment)
  • Enhancements to auto updates, including improvements for dial-up users
  • Better management of browser add-ons and e-mail addresses
  • A new wireless deployment wizard useful for small businesses

2. Grab a copy of the recovery document from This document discusses how to recover from a problem XP SP2 installation. If you're like me, when you take the precaution of printing out recovery instructions, you never have to use them. At any rate, you'll be prepared when priorities change and you've got to get XP SP2 installed immediately. When you're rushed, you might not think to look for recovery information before installing.

Of course, not everyone's going to want, or need, to immediately install XP SP2.

For example, home users, small businesses and organizations with unmanaged computers that normally use Automatic Updates might want to continue receiving the benefits of automatic patch updates, but hold off on XP SP2 until they've had time to figure out what issues there may be with current hardware or software.

Those on dial-up might also be candidates for blocking XP SP2, as they may want to wait and get the update on CD. Downloading any large file via dial-up is a pain, especially if connection costs are paid by the minute; and history shows that attempting to push huge files through dial-up may result in frustration and the turning off of automatic updates by many users.

How to handle XP SP2 is also an issue for IT departments using SUS for updates, since it may need to be blocked from some SUS client computers and approved for others. Remember that the service pack will have to be approved in the SUS server database before clients can receive it, giving an extra layer of protection to SUS shops.

If any of these scenarios applies, here are some resources. Start with the free Microsoft tool at It includes an executable, a script, ADM template to use with Group Policy, and sample e-mail text to be used to inform users on how to block and unblock delivery of XP SP2.

You can read about blocking at:

For those who like to do things the hard way, you can edit the Registry to block XP SP2 delivery. Go to the following key:


and add the new value DoNotAllowXPSP2. Set the value to 1. This will block delivery of XP SP2 via SUS or Automatic Updates for up to 120 days. Removing the value will allow delivery of XP SP2, as will the passage of time. This isn't a permanent solution; it just affords a little more breathing room.

And finally, don't believe everything you read. Contrary to some rumors, XP SP2 doesn't break things; it fixes things. (Sometimes closing holes means good software will need to be revised or reconfigured, too.)

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

comments powered by Disqus
Most   Popular