RE: MS03-007 Round-up

From: Brian W. Spolarich (bspolarich@nephrostherapeutics.com)
Date: 03/20/03

  • Next message: John Jasen: "Re: Anyone have hard evidence of problems with Windows Automatic Upda tes?" 
    Date: Thu, 20 Mar 2003 10:09:19 -0500
From: "Brian W. Spolarich" <bspolarich@nephrostherapeutics.com>
To: "Marc Fossi" <mfossi@securityfocus.com>, "Focus-MS" <focus-ms@securityfocus.com>

      Mark, I know you wanted to wrap this up until some definitive answers came from the Microsoft team, but I wanted to provide a report of my experiences applying this hotfix. I have a constellation of W2K SP3 servers at my various sites (6 systems in total at three different sites). 3 of these are domain controllers, the rest run a variety of MS server apps (Exchange 2000, SQL Server 2000, etc.) I applied this hotfix to my test machine yesterday and rebooted cleanly, so I applied the hotfix to the rest of the systems last night. Although most of the systems in question were not IIS servers, my thinking was to prefer my systems to have similar revs of the core DLLs. All of them came up cleanly except for one, which is this ADC/file/print server for one of my sites. That one never came up, and I decided to deal with it in the AM.

      When I arrived onsite the system was showing a blue screen STOP 0x00000071 (SESSION5_INITIALIZATION_FAILED) error. Restarting in safe or last known good config mode didn't enable a successful boot of any kind. A call to HP/Compaq support services revealed this likely-applicable Q article:

      http://support.microsoft.com/default.aspx?scid=kb;[LN];318533

      "A dependency was introduced in a hotfix so that the Ntoskrnl.exe, Baseserv.dll, Ntdll.dll, and Kernel32.dll files must be distributed together. This dependency was later removed, which might make some combinations of these files incorrect. Also, the hotfix for Q310841 contained a regression in Cache Manager that might cause problems when you copy large files."

      Given that MS03-007/Q815021 replaces only NTDLL.DLL, this could be problematic in some circumstances. The strange thing is that I have two other servers that are identical in all important respects to the one that was negatively impacted by this patch.

      I'm waiting for a response from HP if they have suggestions on how to remove the patch. Booting off of alternative media and running the patch uninstaller should do the trick though:

      "System administrators can use the Spunist.exe utility to remove this update. Spuninst.exe is in the %Windir%\$NTUninstallQ815021$\Spuninst folder".

      -bws

        

  • Next message: John Jasen: "Re: Anyone have hard evidence of problems with Windows Automatic Upda tes?"