RE: Windows Update

From: Alderson, John (John.Alderson@FMR.COM)
Date: 09/26/01 

Message-ID: <3A3270D7DF18D51195FA00508BCF46EAD06091@MSGMRO570NTS.fmr.com>
From: "Alderson, John" <John.Alderson@FMR.COM>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Subject: RE: Windows Update
Date: Wed, 26 Sep 2001 12:54:23 -0400

> -----Original Message-----
> From: Chris Freels [mailto:cfreels@gracenote.com]
> Sent: Tuesday, September 25, 2001 5:37 PM
> To: Lewis, Matt; focus-ms@securityfocus.com
> Subject: RE: Windows Update
>
>
> The problem that I have found with Windows 2000 Service Pack 2 (and
> confirmed with Microsoft) is that there are a number of
> patches that are
> not included in SP2 that were released prior to its release. Now the
> people I spoke with had no idea why (and when do they ever), but they
> did say that we should install all the patches up to and including the
> SP. For many of us who have been doing this for a while it
> seems to be
> very common practice with Microsoft to forget or leave out items that
> most of us would think are very necessary. All I can say is to
> subscribe to either the Security Focus or Microsoft newsletters to
> receive the latest patch info and update everything in a test
> environment first the once deemed safe install on your production
> equipment. I know that many of us were bitten by the OWA update for
> Exchange 2000 in June of this year. (climbing down off my soapbox)
>
> Cheers,
>
> Chris
>

The reason you see that behavior is that in the last few years, Microsoft
has been putting Service Packs through a wide beta period that could last
for two months or more. Windows 2000 Service Pack 3 is currently in that
phase but might not be released for a month or two (or more). Therefore, at
some point there is a content freeze and only x patches are included in the
SP. Patches are still being written, so those that are done between the
freeze date and the actual SP release date seem to be orphans when doing a
simple date comparison.

As has been said before by others, Windows Update is not for servers and is
not the be-all end-all for clients. For security patches, use the Search
feature at www.microsoft.com/technet/security. This feature takes the SP
beta period into account.

John Alderson

Relevant Pages

  • Re: I Just Head The Entire State Of New York Has A Power Outage
    ... Windows Update flaw 'left PCs open' to MSBlast ... MSBlast, according to Russ Cooper, chief scientist at security company ... their registry and offers them list of patches that have not yet been ... Microsoft did not respond to requests for comment on the Windows Update ...
    (alt.os.linux)
  • RE: Help with XP Hotfixes and Patches
    ... Help with XP Hotfixes and Patches ... > After installing I immediately went to Windows Update to try and grab ... > I have run the Microsoft Baseline Security Analyzer thru several times ...
    (Focus-Microsoft)
  • Windows Update is a dog, again!
    ... Has Microsoft done anything to change that perception? ... Ensure I'm checking from the system I want patches for, meaning all of the systems in my environment must be the same OS or I, as Administrator, have multiple systems to check for updates. ... Wonder if the backend systems for Windows Update are down, under maintenance, or just configured incorrectly if it says I need no patches, it may not have checked properly. ... "Information Security and the Disappearing Perimeter" ...
    (NT-Bugtraq)
  • RE: Windows Update
    ... Subject: Windows Update ... confirmed with Microsoft) is that there are a number of patches that are ... not included in SP2 that were released prior to its release. ...
    (Focus-Microsoft)
  • checking for XP available updates feature doesnt work?
    ... When I ask Microsoft to check for available updates on my computer I get the ... "Checking for the latest version of the windows update ... or what has already been installed on my computer without this feature, ...
    (microsoft.public.windowsupdate)