Upgrading to XP SP3 and beyond

Dan Kaplan, executive editor, SC Magazine

The death of Windows XP Service Pack (SP) 2 is set for this month, but many IT administrators appear to be in denial.

July 13 is the date Microsoft has pledged to cease support for the operating system update. SP2 was released in 2006, with SP3 following two years later. Yet, many organizations, citing its reliability and stability, still are running SP2, said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

That, however, may invite security risks, given that Microsoft will stop releasing monthly patches for SP2, Kandek said.

“The danger is that, within a couple of months, SP 2 will have vulnerabilities that officially don't exist, but attackers will know they exist,” Kandek said.

About a year ago, Qualys began tracking XP SP2 migrations across roughly one million machines, Kandek said. The company found that at that time, 80 percent of XP computers ran the soon-to-be-unsupported service pack, though the number has dwindled to 50 percent.

Kandek said he blames Vista, oft criticized for its usability and hardware compatibility shortfalls, with the slowness for many to migrate. Vista, released in January 2007, failed to permeate businesses and the resulting flop kept many organizations in the comforts of SP2.

But as the end-of-life date now approaches for SP2, the easiest move for organizations is to upgrade to SP3, Kandek said. Installing the package is similar to updating computers with security updates. Yet, administrators should be careful to test the new service pack, Kandek advised.

“Windows 7 has been getting positive reviews, and many clients report that they have plans to start their production deployments, but there are some that are still undecided about when to start and how quickly to do the migration,” said Michael Silver, vice president and distinguished analyst at Gartner.