It is obvious I am a fan of Service Pack 2, but many Admins are reluctant to make the jump. The following note from Microsoft should help:
Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates
Introduction
Windows XP Service Pack 2 (SP2) contains major security improvements designed to provide better protection against hackers, viruses, and worms. Windows XP SP2 also improves the manageability of the security features in Windows XP and provides more and better information to help users make decisions that may potentially affect their security and privacy. Because of these significant improvements, Microsoft views Windows XP SP2 as an essential security update and is therefore distributing it as a “critical update” via Windows Update (WU) and the Automatic Updates (AU) delivery mechanism in Windows. Microsoft strongly urges customers with Windows XP and Windows XP Service Pack 1-based systems to update to Windows XP SP2 as soon as possible.
While recognizing the security benefits of Windows XP SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU. These organizations have populations of unmanaged PCs, upon which they have enabled AU. This is done to ensure that these unmanaged PCs receive all critical security updates. Since SP2 will start to be delivered to PCs running Windows XP or Windows XP with SP1 via AU starting on August 16, these customers would like to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update. In response to these requests, Microsoft is providing the following guidance, resources, and communication vehicles to meet the needs of these customers.
Please note that the mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 120 days (4 months) from August 16. At the end of this period, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1-based systems -- WU and AU will simply ignore the presence of the blocking mechanism.
Summary of Relevant Windows XP SP2 Dates
8/6 Release to manufacturing
8/9 Release to Microsoft Download Center (full network install package)
8/10 Release to Automatic Updates (for machines running pre-release versions of Windows XP SP2 only)
8/16 Release to Automatic Updates (for machines not running pre-releases versions of Windows XP SP2)
8/16 Release to SUS via AU Later in August
Release to Windows Update for interactive user installations
Guidance
As a best practice approach to implementing a managed rollout of Windows XP SP2, customers are encouraged to use a corporate update management solution such as Systems Management Server (SMS) 2003 or Software Update Services (SUS). Alternatively, customers may use a third-party update management solution.
Key benefits of using SMS 2003 or SUS to deploy Windows XP SP2
1. Allow administrators to control the deployment Windows XP SP2 (as well as other updates) across their Windows systems
2. Allow customers to safely disable direct AU or WU access from individual systems, while allowing these systems to get the necessary critical security updates and other administrator-approved updates.
3. SUS will automatically and silently install Windows XP SP2 (administrators can also achieve this behavior using SMS 2003), while installation of Windows XP SP2 via WU or AU requires user or administrator interaction on each system it is installed on
4. Dramatically reduces network traffic into the organization, since updates only need to be downloaded to one or a small number of servers within the organization, instead of being downloaded separately to each system requiring the update.
Information on SMS 2003 is available at
Information on SUS is available at
Note that SUS is available as a free download to customers with a Windows Server 2003 or Windows 2000 Server license and can be downloaded from
Resources
For customers with a population of unmanaged PCs for which the above solutions will not suffice, Microsoft is providing additional methods of managing the update process. These alternatives enable customers to temporarily disable delivery of Windows XP SP2 via AU and WU, while still allowing critical security updates to be delivered via AU and WU, thus providing more time to plan for deployment.
Options to temporarily disable and then re-enable delivery of Windows XP SP2 via AU and WU
1. For organizations that have implemented Active Directory based Group Policy, we will provide an ADM template to allow these customers to centrally and easily disable and re-enable delivery of SP2 to targeted groups of Windows XP systems using Group Policy
2. For organizations that have not implemented Group Policy, we are providing Microsoft signed executable software that can be run on systems to disable and re-enable Windows XP SP2 delivery. The disable and re-enable actions are specified as command-line parameters when running the executable.
Microsoft is also providing a sample script that will accept a machine name as a command-line parameter to enable execution of the executable software on a specific machine. The script can be used to run the executable on a remote machine or on a group of remote systems, using a mechanism that works best for the customer (run as logon script, via a remote script execution mechanism such as SMS, etc.).
3. For organizations that have machines that are not easily managed via scripting or Group Policy, but are accessible via e-mail, we are providing sample e-mail text that includes a URL link that users can click on to disable delivery of Windows XP SP2. This URL will point to an executable script hosted on This option requires users to have administrator rights on their machines.
We are also providing sample e-mail text with a similar included URL link that can be clicked on to re-enable delivery of Windows XP SP2. IT administrators can send this e-mail to their users when they are ready to deploy Windows XP SP2 to these users’ systems
Note 1: All of the above options rely on the presence of a registry setting to disable delivery of SP2. This is a new registry setting that is used only for the purpose of disabling and re-enabling delivery of SP2. Consequently, there is no additional impact or side effect on the system, and customers will be able to use these options immediately without need for any testing.
Note 2: Running the executable software requires administrative privileges. Users who are not administrators on their systems will not be able to run the executable. This is not an issue, since these users would not be able to install Windows XP SP2 anyway, and disabling delivery of Windows XP SP2 would not be a concern for these users.
Delivery
Customers will have access to these tools via the Windows XP SP2 section of Microsoft TechNet ( that provides
1. Information on options for temporarily disabling delivery of Windows XP SP2 via AU and Windows Update
2. Content to disable and re-enable delivery of Windows XP SP2
a. URL link to download a self-extracting zip file containing the ADM template, signed executable, and sample script
b. Sample email text with included link that can be clicked on to disable delivery of Windows XP SP2
c. Sample email text with included link that can be clicked on to re-enable delivery of Windows XP SP2
3. Link to a frequently asked questions (FAQ) page
Note: The main Windows XP SP2 page on TechNet will have an announcement about the availability of the Windows XP SP2 delivery-disabling options and will provide a link to the above Web page.
I am sorry the above is kind of a messy format, but this question has been raised too often to ignore.
Bill Castner
Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates
Introduction
Windows XP Service Pack 2 (SP2) contains major security improvements designed to provide better protection against hackers, viruses, and worms. Windows XP SP2 also improves the manageability of the security features in Windows XP and provides more and better information to help users make decisions that may potentially affect their security and privacy. Because of these significant improvements, Microsoft views Windows XP SP2 as an essential security update and is therefore distributing it as a “critical update” via Windows Update (WU) and the Automatic Updates (AU) delivery mechanism in Windows. Microsoft strongly urges customers with Windows XP and Windows XP Service Pack 1-based systems to update to Windows XP SP2 as soon as possible.
While recognizing the security benefits of Windows XP SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU. These organizations have populations of unmanaged PCs, upon which they have enabled AU. This is done to ensure that these unmanaged PCs receive all critical security updates. Since SP2 will start to be delivered to PCs running Windows XP or Windows XP with SP1 via AU starting on August 16, these customers would like to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update. In response to these requests, Microsoft is providing the following guidance, resources, and communication vehicles to meet the needs of these customers.
Please note that the mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 120 days (4 months) from August 16. At the end of this period, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1-based systems -- WU and AU will simply ignore the presence of the blocking mechanism.
Summary of Relevant Windows XP SP2 Dates
8/6 Release to manufacturing
8/9 Release to Microsoft Download Center (full network install package)
8/10 Release to Automatic Updates (for machines running pre-release versions of Windows XP SP2 only)
8/16 Release to Automatic Updates (for machines not running pre-releases versions of Windows XP SP2)
8/16 Release to SUS via AU Later in August
Release to Windows Update for interactive user installations
Guidance
As a best practice approach to implementing a managed rollout of Windows XP SP2, customers are encouraged to use a corporate update management solution such as Systems Management Server (SMS) 2003 or Software Update Services (SUS). Alternatively, customers may use a third-party update management solution.
Key benefits of using SMS 2003 or SUS to deploy Windows XP SP2
1. Allow administrators to control the deployment Windows XP SP2 (as well as other updates) across their Windows systems
2. Allow customers to safely disable direct AU or WU access from individual systems, while allowing these systems to get the necessary critical security updates and other administrator-approved updates.
3. SUS will automatically and silently install Windows XP SP2 (administrators can also achieve this behavior using SMS 2003), while installation of Windows XP SP2 via WU or AU requires user or administrator interaction on each system it is installed on
4. Dramatically reduces network traffic into the organization, since updates only need to be downloaded to one or a small number of servers within the organization, instead of being downloaded separately to each system requiring the update.
Information on SMS 2003 is available at
Information on SUS is available at
Note that SUS is available as a free download to customers with a Windows Server 2003 or Windows 2000 Server license and can be downloaded from
Resources
For customers with a population of unmanaged PCs for which the above solutions will not suffice, Microsoft is providing additional methods of managing the update process. These alternatives enable customers to temporarily disable delivery of Windows XP SP2 via AU and WU, while still allowing critical security updates to be delivered via AU and WU, thus providing more time to plan for deployment.
Options to temporarily disable and then re-enable delivery of Windows XP SP2 via AU and WU
1. For organizations that have implemented Active Directory based Group Policy, we will provide an ADM template to allow these customers to centrally and easily disable and re-enable delivery of SP2 to targeted groups of Windows XP systems using Group Policy
2. For organizations that have not implemented Group Policy, we are providing Microsoft signed executable software that can be run on systems to disable and re-enable Windows XP SP2 delivery. The disable and re-enable actions are specified as command-line parameters when running the executable.
Microsoft is also providing a sample script that will accept a machine name as a command-line parameter to enable execution of the executable software on a specific machine. The script can be used to run the executable on a remote machine or on a group of remote systems, using a mechanism that works best for the customer (run as logon script, via a remote script execution mechanism such as SMS, etc.).
3. For organizations that have machines that are not easily managed via scripting or Group Policy, but are accessible via e-mail, we are providing sample e-mail text that includes a URL link that users can click on to disable delivery of Windows XP SP2. This URL will point to an executable script hosted on This option requires users to have administrator rights on their machines.
We are also providing sample e-mail text with a similar included URL link that can be clicked on to re-enable delivery of Windows XP SP2. IT administrators can send this e-mail to their users when they are ready to deploy Windows XP SP2 to these users’ systems
Note 1: All of the above options rely on the presence of a registry setting to disable delivery of SP2. This is a new registry setting that is used only for the purpose of disabling and re-enabling delivery of SP2. Consequently, there is no additional impact or side effect on the system, and customers will be able to use these options immediately without need for any testing.
Note 2: Running the executable software requires administrative privileges. Users who are not administrators on their systems will not be able to run the executable. This is not an issue, since these users would not be able to install Windows XP SP2 anyway, and disabling delivery of Windows XP SP2 would not be a concern for these users.
Delivery
Customers will have access to these tools via the Windows XP SP2 section of Microsoft TechNet ( that provides
1. Information on options for temporarily disabling delivery of Windows XP SP2 via AU and Windows Update
2. Content to disable and re-enable delivery of Windows XP SP2
a. URL link to download a self-extracting zip file containing the ADM template, signed executable, and sample script
b. Sample email text with included link that can be clicked on to disable delivery of Windows XP SP2
c. Sample email text with included link that can be clicked on to re-enable delivery of Windows XP SP2
3. Link to a frequently asked questions (FAQ) page
Note: The main Windows XP SP2 page on TechNet will have an announcement about the availability of the Windows XP SP2 delivery-disabling options and will provide a link to the above Web page.
I am sorry the above is kind of a messy format, but this question has been raised too often to ignore.
Bill Castner