Microsoft to Issue Security-Fix Rollup

Microsoft to Issue Security-Fix Rollup

Mary Jo Foley

Microsoft has been wavering as to its Windows XP service-pack plans. But now it appears that the Redmond software maker is, indeed, going to issue a service pack prior XP Service Pack 2, which is expected around the third quarter of next year.

As reported on Steven Bink’s Windows site, among others, Microsoft notified testers who participated in its Windows Update version 4 program that it was seeking participants to work with two versions of an interim security rollup patch.

The full version is designed to provide users with either all of the security fixes since XP was introduced in 2001 or those released since XP SP1 was introduced in the fall of 2002. The express version will provide security updates issued since SP1 only.

The test period for the interim rollup is short; it runs through September 24. Company watchers expect Microsoft to make it available soon thereafter.

Microsoft officials declined to comment on the rollup. A Microsoft spokesman notes that “the Microsoft Security Response Center is actively looking into new solutions around updates for customers to make keeping their software up-to-date an easier task. At the moment, they are not ready to share the ideas but they are taking customer feedback seriously and committed to helping customers protect their PCs.”

According to the security rollup beta invitation, “Update Rollup 1 for Microsoft Windows XP … consists of 22 previously released critical and security updates for Windows XP rolled into one convenient package,” say Microsoft on its BetaPlace beta-testing site. “Installing this item provides you the same results as installing the individual updates.”

Rumors of such an interim security rollout have been circulating for about a month. On an online chat on Blaster, held August 18, Microsoft officials gave conflicting information as to whether the company planned such a security rollup.

Microsoft product manager John Hazen, when asked whether Redmond would issue such an interim rollup, said: “We do not currently have plans to create a Security Rollup Package for Windows XP, but are exploring ways to make these fixes more readily available and easier to install together.”

But later, during the course of the same chat, Hazen told participants that “In terms of interim solutions, we encourage people to make use of the currently tools (AU [Auto Update], SUS [Software Update Services], etc) to keep their systems current. We are also exploring several options to make these fixes smaller, and more easily combined for deployment.”

Hazen said that a number of Microsoft customers have said they would prefer that Microsoft only issue service packs once a year, at most, as more frequent service pack releases complicated their deployment and maintenance tasks.

But since the Blaster worm and SoBig virus hit users with a double-whammy, customers have become more vocal in demanding that Microsoft fix its software patching mechanisms – not to mention Windows itself. Users who have not kept their Microsoft security patches current spend hours trying to bring their systems up to par by downloading the myriad fixes issued by Microsoft over the past year or two.

Read More About Microsoft’s Plans to Patch Patch-Management Here

And the Advice Customers Have for Redmond on XP Security

When asked how many security patches it has issued for Windows XP, a Microsoft spokesperson declined to offer a total. And because of the way Microsoft categorizes its patches into multiple categories, with multiple severity levels — not to mention its practice of bundling some fixes together and releasing others separately — it’s difficult to get an accurate count.

In mid-August, Microsoft published to its Web site a service-pack roadmap, which indicated that the company had no plans to release Windows XP SP2 until “mid-2004.” Many testers had expected Microsoft to release SP2 earlier, as Microsoft has been beta testing SP2 among selected testers since earlier this summer.

Microsoft officials also have said to expect SP2 to include new features, and not just fixes – despite the fact that Microsoft has stated adamantly that service packs are designed to provide patches and not new functionality.

Some testers have speculated that Microsoft is planning to provide its PC Satisfaction Trial functionality as part of SP2. The trial, in which testers have been participating for months, is a service via which Microsoft provides anti-virus, firewall, backup and PC-health-monitoring services that would be aimed at primarily at small-business and consumer customers. Microsoft officials have declined to say how and when Microsoft plans to commercialize PC Satisfaction technologies.

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Microsoft Watch.