Small Business Susan

So why do we NEED Sp2?

So the question came up …why do we really need SP2 on SBS anyway?  If you don’t install it are there security implications (assuming you are up to date on everything else)? 


hmmmm… I’d argue no.  I haven’t seen anything earth shatteringly security wise different like in the case of XP sp2 versus XP sp1. 


So why do we really NEED sp2 anyway? 

First off…. forget this marketing top 10 list:http://technet.microsoft.com/en-us/windowsserver/bb229702.aspx

Total yawn for SBSers. And let’s not even get started on how #3 is the very thing we’re hacking off that has caused us problems or how #6 has some known issues as well.

Here’s my list of why:

1. Extends the supportability of the box. RTM of SBS rolls out of support on 7/10/2007 so its only SBS 2003 sp1 in support now.

Microsoft supports approx two service packs at a time. By putting on SP2 it’s a longer support window.  My guess is, it’s the last SP I might be putting on this system before Longhorn era?  (we’ll see)


2. There’s a bundle of VSS hotfixes in SP2.  Anyone seeing backup issues?  I’ve seen enough smatterings to know that I’ll bet most of you are seeing one or two intermittent backup failures a week on the servers under your control if you have a fleetful of SBS boxes.  Some of this may be due to USB drives getting to the end of their useful lives as backup devices.. but some may be due to the need of these hotfixes.

3. Wireless stuff (ask Owen the wireless guru). (That’s their number 10 and my number 3)

4. Lots of hotfixes and other stuff besides the hotfixes (look at the what’s included in SP2 KB and you kinda go .. okay so maybe some of those are a good thing to be getting on my system, you know?)

5. Because if I were your client and I was under a managed service contract I’d say … exactly how long are you going to wait? Because being on the latest service pack is a best practice item. (Okay, okay, I’m giving you a bad time but you get the idea…. another consultant could come in and say “well there’s your problem.. he doesn’t have you on the latest service packs…”)


6. Because if you are in a regulated industry being a service pack back can be a point knock off on a score.  Seriously.  All those security auditor best practice checklists say “check for being on latest service pack”.  I know that I’ve said before that I believe “best practice” is YOUR best practices and not a cookie cutter checklist done by some Government agency still running Windows NT, but I can’t argue about the overall goodness of being on a currently supported and service packed product.

7. Because sooner or later every patch, every service pack should go on a system. It’s a matter of timing and preparedness and when…not “should we?” Microsoft can and has made changes to systems that make better security included in Service packs. Look, for example on the vast difference between XP sp2 and XP sp1.  Being on the latest service pack is a general good thing.


8. Read this http://support.microsoft.com/kb/914962  and go “dang some of those look a mite interesting … I may want those“.  Yes I know I’m repeating #4 but it needs repeating.  There’s a lot of hotfixes in there and if you called for each one, even though you could call individually FOR FREE and get them one at a time, this gives them to you.


9.  Because we know the issues, they’ve been identified, we have a “fix up” patch and we know what we’re facing.


10.  At some point in time in the far far future there will be a patch that needs SP2 prior to install.  Just like the Vista/connectcomputer/join patch aka the “Ripcurl” patch needs SBS 2003 sp1 to be installed, there will be a time at some point in the future where you HAVE to get it on.  It’s much better to plan for it, install it when it’s on YOUR schedule, and not part of a manditory “I must get this on otherwise I can’t patch/install what I really need to install“.  Never get yourself into a situation where you HAVE to get a service pack on because something else demands it is my personal view.

Getting on a latest service pack is never a matter of “if” it’s always a matter of “when”.But it’s when I’m good and ready.We know the issues now and the game plan… ensure you are on the latest nic drivers, install the SP2, install the post MUable RSS hacking off patch.


What was the annoyance at first was the total silent release on a Patch Tuesday when we were told no patches, right after a very rough DST patching month, the no eula that it didn’t have, was supposed to have and finally does have (thank you to the folks at MS who fixed that one), and the lack of SBS experience with it. Show me a newsgroup of people with SP2 issues and I’ll show you a measurable number of Help and Support blow ups that people don’t know are blown up until they are told to go check if it’s blown up. We count that as a SP that breaks things but that’s so minor of an issue when the bulk of us don’t even realize it’s broken in the first place.  The KB to fix it, KB937231 … you don’t even have to call in for the fix, you can use the workaround that does the same thing.


The posts about “consuming SP2” while we were counting up the dead bodies didn’t help either.  I know that one post in particular was the straw that broke the camels back and sent me right over the “rant” edge on that one.  But in fairness… I’ve seen many a Admin post on www.patchmanagement.org that they’ve had flawless upgrades of SP2 on a good fair number of Servers.  Our unique use of dual nics make us more intolerant of the advanced networking code they put in SP2.  Score one for the single nic folks, eh?

The rest of us that lose the vpn/rdp/Exchange stuff are ISA folks who haven’t updated the NIC card driver since we installed the box in 2004 (I was guilty of that one).

I’m not saying you will have no issues but I think we scared ourselves because of how this Service pack just got shoved down our throats on a Patch Tuesday. Some of the MS folks wax poetically about SBS 2000 sp1(?) as being a really solid service pack experience. Except I had to go without XP sp1 on all workstations for 6 months because every time I installed that service pack I had Office files lock up on me due to the internaction of SMB signing between the Win2000 service pack and XP sp1. It took six months to get a patch for that out of Microsoft because it was security related. This didn’t take six months to get sorted out.

We know what we’re facing now.


We got a map.


And I think that’s the important thing.

And that top ten list of why to upgrade to SP2 list is even more important if you have a trouble free install. Service packs are not optional in my network.


But they are installed when I want them to be installed.


If you are delaying because there’s no room on that 12 gig drive… I’d recommend what Les said recently… if you can’t fit SP2 on that C:\ they won’t last too much longer patching.  You won’t make it with that size of a drive until Longhorn comes out.  Start planning a harddrive change out to a larger one.


P.S.


11.  Don’t wait so long to install a service pack that when you finally do get around to installing it and you have some questions about it and you ping me …. I go…dang…that was like how long ago I did my last service pack 1 install…and I can’t remember if what you are seeing is normal or not….Stay with the flock and don’t wait too long to install.



2 comments ↓

  • #   Dekks Herton on 07.08.07 at 11:40 am     

    Thanks for the info….


  • #   Chris Knight on 07.08.07 at 10:12 pm     

    The biggest problem I have with both SP1 and SP2 for SBS is the inability to perform a slipstream install to CD1. For ASR and Repair installs to work properly and reliably requires a CD1 that matches the install.
    Some hackery can be performed by using a slipstreamed Win2003 CD1, but requires some file and registry surgery to get it working properly.
    I had less gnashing of teeth once SP1 media became available, but now I’m back to the same problem with SP2 in that I have no SP2 media to perform ASR or Repair installs. This sucks, as I have a nice, quick recovery and migration capability – even to new hardware – using an unattended install, a restore from a full backup and a Repair install (if using different hardware).