Microsoft Blocks Windows Server 2003 SP1 Update
The toolkit will work much the same as the one released in 2004 to block the automatic download and installation of Windows XP SP2, another service pack that included not just security fixes, but major security enhancements and other new features. The toolkit can be downloaded free of charge from the Microsoft Web site.
Windows Server 2003 SP1 is set to download to servers using Microsoft's Auto Update service starting July 26. The toolkit offers an executable and a script to turn off Auto Update for SP1, as well as Active Directory template to do the same. The tools will also remove SP1 from any update list generated by Windows Update, or the new Microsoft Update, the two manual updating services Microsoft runs.
By using the toolkit, customers can avoid SP1 while still retrieving other critical security updates, Microsoft said in the advisory posted with the blocking tools.
"Customers who require additional time to prepare for the download and deployment of Windows Server 2003 SP1 can use [this] blocker toolkit," Microsoft added in the advisory.
Microsoft made clear, however, that Windows Server 2003 SP1 can still be deployed using Software Update Services (SUS) or Systems Management Server (SMS). In fact, it's because of those tools that Microsoft believes few enterprises will take up its offer. "Most enterprises manage updates via SMS and Windows Server Update Services," said a Microsoft spokesperson, "so this affects only a handful of enterprise customers."
The tools will block SP1 until March 30, 2006, a full year after the pack's introduction. That's four months longer than was given Windows XP SP2, whose automatic update was turned off after eight months.
At least one analyst is mystified about the trend toward blocking what Microsoft labels critical security updates.
"What's weird is that [the blocking tool] is needed at all," said Michael Cherry, an analyst with Directions On Microsoft. "Having to block a service pack makes no sense. On one hand Microsoft says that everyone should install SP1 to plug [security] problems, but then it says you might want to block it. I think that's counter productive."
Instead, Cherry argued, Microsoft should step away from packing both security fixes and major enhancements in its SPs, as it has with both Windows XP SP2 and Windows Server 2003 SP1. "Make Service Packs simply be a set of fixes," he said.
The root of the problem, he continued, is that enterprises are rightfully leery of deploying a Service Pack which may break existing applications or cause other incompatibility issues. Windows Server 2003 SP1, like Windows XP SP2 before it, has problems with several applications, Microsoft has acknowledged.
"There are fewer applications on Server 2003 SP1's list than Windows XP's," Cherry noted. "But what's strange is that there are still some Microsoft applications on the list, some of which are part of the Windows Server system."
Among the applications that have known issues with SP1 are Exchange Server 2003 and ISA Server 2004.
Microsoft took issue with any incompatibility charges leveled against Windows Server 2003 SP1, saying that the blocking tools wasn't developed to address "any particular incompatibilities reported by customers," according to the spokesperson.
"Considering the volume of security changes in SP1, Microsoft was able to limit the impact to less than 10 percent of overall apps tested internally," she added.
Cherry sees the trend of producing blocking tools as coming close to a Catch-22. "Microsoft's saying, 'we want you to use Auto Update because we can't trust you to do it yourself,' but then turns around and says 'wait, the Service Pack might break things, so you'd better block it.'
"The louder advice seems to be 'don't install it,'" he concluded.