Bug fixes, security hotfixes, and upgrade options

Microsoft released the long-awaited Service Pack 2 (SP2) for Windows 2000 in May 2001. Microsoft organized SP2's 549 documented bug fixes into 15 categories, which Table 1, page 42, shows. Although the line between a bug fix and a feature is fuzzy at best, Microsoft claims that SP2 contains code corrections but doesn't fundamentally extend the functionality or the feature set of the OS. Most of the updates are either identical to or supersede fixes that were available from Microsoft Product Support Services (PSS) before the release of SP2. To save you the effort of reading through 549 documents, I highlight some of the most important improvements. (For information about where you can find SP2, see the sidebar "Where to Get SP2," page 40.) SP2 delivers a large number of hardware-specific fixes for power, video, and DVD problems on Toshiba, Dell, Compaq, Gateway, and IBM notebooks and laptops; an updated AGP driver that supports ServerWorks' RCC HE chipset; improvements to the SCSI driver; support for ATA-100 (Mode 5) hard disks; an OHCI1394 driver that no longer leaks memory; and an improved USB driver that eliminates the occasional disappearing device. SP2 also corrects many DNS-cache and zone-transfer problems; Active Directory (AD) replication; backup and restore errors; authentication, password, and account-lockout problems; access violations in lsass.exe and services.exe; and problems promoting and demoting Win2K domain controllers (DCs). In addition, SP2 delivers improvements to the File Replication Service (FRS), including more reliable communication on a network in which you connect a hub site to a large number of branch sites through slow links (e.g., 64Kbps links), enhanced FRS event logging, and an improved version of the ntfrsutl.exe diagnostic and troubleshooting utility.

In the networking area, SP2 eliminates multiple WINS and DHCP problems and removes the 850-DHCP-servers-in-a-network limit. Several SP2 DHCP server patches require that you manually edit the registry to activate the improved functionality. See the Microsoft article "Dynamic Host Configuration Protocol Server Management Issues in Windows 2000" (http://support.microsoft.com/support/kb/articles/q297/8/47.asp) for a description of the modifications you must make.

After you install SP2, the OS will no longer hang when you enable object auditing, and it will run batch files that redirect input or output without generating an access violation. In addition, minor fixes ensure that the OS correctly calculates the size of the registry, lets Windows NT Loader (NTLDR) boot with a fragmented system hive at startup, and eliminates an occasional but fatal deadlock in ntdll.dll and a dfssvc.exe memory leak. SP2 includes several fixes to NT Backup that eliminate problems with backing up and restoring Microsoft Exchange 2000 Server databases.

Finally, what service pack would be complete without a cleanup of known access violations and blue screens? This update eliminates blue screens caused by disk.sys, serial.sys, fastfat.sys, dlc.sys, and the well-known stop 0x1e that can occur at the beginning of a replication window on all Win2K servers in the same domain.

SP2 and Security
In March 2001, Microsoft discovered that incorrect file-version numbers in several security hotfixes might cause 1 of 26 hotfixes to overwrite a current file with an earlier version of the same file. To eliminate this problem, Microsoft released a new catalog file, sp2.cat, that contains updated file-version numbers for hotfixes with the file-version number problem. SP2 includes this catalog, so you don't have to install the standalone sp2.cat file before you upgrade. After you install SP2, you can be confident that all the files in the selected group of hotfixes are current.

As far as security hotfixes, SP2 bundles 30 hotfixes that Microsoft released for public download through December 2000. Scan through the long list of security hotfixes that Microsoft released starting in January 2001, and download any hotfixes that directly affect your network operation. After you download the hotfixes, you can include all those you need to install on existing or new systems in a combination installation directory that also includes SP2. When you use the new Win2K combination installation method, you can install SP2, selected bug fixes, and security hotfixes in one operation. (I explain the basics of a combination installation later.)

Updated Support Tools
If you download the full network installation version of SP2 instead of ordering the SP2 CD-ROM, you need to download three additional files: the update to the Win2K Support Tools, the Microsoft Windows 2000 Resource Kit Deployment Tools update, and the Installation and Deployment Guide. Microsoft has links to these downloads on the SP2 home page (http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp) and ships all three updates on the SP2 CD-ROM.

The Support Tools download contains bug fixes for six popular utilities—netdom.exe, nltest.exe, dnscmd.exe, netdiag.exe, dcdiag.exe, and dfsutil.exe—that ship in the \support directory of the Win2K CD-ROM. The Deployment Tools update contains a new version of the Sysprep tool (version 1.1) that cleans up a couple of Sysprep bugs and reduces the number of images you need to build. The Installation and Deployment Guide is a comprehensive document that describes procedures for upgrading and rolling out SP2.

Preparing to Upgrade
You need a bit of information before you upgrade to SP2. SP2 upgrades Win2K to high encryption (i.e., 128 bits), which offers a much higher level of protection than standard 56-bit encryption. Note that according to the Installation and Deployment Guide, SP2 doesn't upgrade the Protected Store to high encryption. To close this loophole, you must install the security hotfix at http://www.microsoft.com/technet/security/bulletin/ms00-032.asp to upgrade this component.

If you uninstall SP2, the OS remains a high-encryption version. If you're upgrading an earlier version of Win2K, disable any running virus scanner. Otherwise, the virus scanner might incorrectly report that an installation file contains a virus, which will stop the upgrade. If you're upgrading a system that acts as a firewall, check with your firewall vendor and download any SP2 updates for the firewall software before you begin. In addition, you might also need to disable the firewall software before you start the upgrade procedure. To ensure that you protect your Internet connection during the upgrade, you might need to disconnect the WAN link or substitute another firewall until you successfully update the production system.

If you've ever performed a service pack upgrade, you know that Setup always prompts you to create an \uninstall directory. The first time you install any service pack, select Yes to create the \uninstall directory. However, if you have to install SP2 twice (or any service pack, for that matter), select No the second and all subsequent times you install the same service pack. If you create an \uninstall directory more than once, the second and all subsequent times Setup will overwrite the \uninstall directory SP1 files with SP2 files from the previous upgrade attempt. If you later uninstall SP2, the \uninstall directory will contain only SP2 files and you won't be able to revert to the earlier version of the OS.

Installation Options
SP2 supports three types of installation methods: an update installation (i.e., a traditional upgrade from an earlier version of Win2K), an integrated (i.e., slipstream) installation on a new system, and a combination installation that builds one installation source that combines SP2, hotfixes, and custom drivers specific to your hardware configuration. To see a list of all the files SP2 updates, look at the log file svcpack.log in the system root after the upgrade is complete.

Update installation. You can use the update installation method either from the Microsoft Web site or from a downloaded file on a local or shared network drive. If you have only one or two systems, you might want to take advantage of Microsoft's online Express upgrade service. The Express option initiates an interactive upgrade from the SP2 Web site. This option updates components specific to the platform that the connected system runs. If you're updating just one or two systems, the Express option is probably faster and requires less disk space than downloading and installing the 105MB file.

If you choose to install SP2 from a downloaded file, you start by double-clicking the download file w2ksp2.exe on either a local or a shared network drive. You can also expand the service pack (w2ksp2.exe /x) to a directory (e.g., D:\sp2) and run update.exe from a command prompt. The Update utility resides in the \i386\update directory. (To display the options that update.exe supports, type

Update /?

at a command prompt.) You can also install SP2 on remote systems in a Win2K domain by using the Windows Installer service and the companion installation file update.msi. When you use this method to install SP2, you can uninstall SP2 and revert a system to the earlier version.

Integrated installation. Microsoft uses the term integrated installation to refer to a slipstream directory that contains the OS and the most recent service pack. When you initiate a slipstream installation, you install the OS and SP2 files in one operation instead of installing the OS first, then upgrading to SP2. This method is the fastest way to install a current copy of the OS on a new system. As you would expect, you can't uninstall SP2 on a system you build from a slipstream folder because the installation integrates SP2 files into the OS. (The sidebar "Creating a Slipstream Installation Directory" documents the procedure you follow to build a slipstream directory that installs Win2K SP2 on a new system.) After you create the slipstream directory, you can copy the directory structure to a CD-ROM, add CD-ROM boot files, and use the CD-ROM to install Win2K SP2 on a standalone system. For a step-by-step guide about how you deploy SP2 remotely on network systems by using group policy, download the Installation and Deployment Guide, then follow the instructions in Scenario 3, "Using Windows Installer Service to Install the Service Pack," in the "Creating an Update Installation" section.

Combination installation. The combination installation combines an integrated installation with bug fixes, security hotfixes, driver updates, and files specific to your hardware or software configuration. You start with a slipstream directory, then add updates specific to your requirements. At press time, more than 200 published post-SP2 bug fixes existed.

If some of these post-SP2 updates or security hotfixes are crucial to your operation, you can include them in the baseline image by using the combination installation method. You create a combination installation directory by first building a slipstream installation directory. Then, you add updates that you want to include in the baseline image. When built, the resulting image eliminates the requirement that you install each security hotfix or bug fix individually. (For a description of the procedure you follow to create a combination installation, see the "Combination Installation" section of the Installation and Deployment Guide.)

Disk Space Requirements
For Win2K Professional, you need a minimum of 340MB of free hard disk space to install SP2 from a network distribution share and 710MB of free space when you perform either an Express installation from the SP2 Web site or a local installation from the download file or an SP2 CD-ROM. The \uninstall directory requires a minimum of 250MB of free space for a new installation and 380MB when you upgrade from SP1. (Note that all the free space must be on the system partition.)

For Win2K Server and Win2K Advanced Server, you need a minimum of 415MB of free space to install SP2 from a network distribution share and 830MB to perform a Web-based Express installation or a local installation from the download file or the SP2 CD-ROM. The \uninstall directory requires a minimum of 315MB of free space and 460MB on a system that you upgrade from SP1.

The Update utility command-line option —n disables creation of the \uninstall directory. If your testing reveals that SP2 is a stable platform and you don't anticipate reverting back to SP1, you can save 250MB to 460MB of disk space on each system by disabling creation of the \uninstall directory. You might also want to disable creation of the \uninstall directory if you have limited space on the system boot partition.

Using the Windows Installer Service to Deploy SP2
The Windows Installer method for updating software on remote systems is easy to set up and activate. This method uses a computer-based policy to deploy software on computers within an AD container, which can be a site, a domain, or an organizational unit (OU). Follow these steps to set up the Windows Installer installation method:

  1. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
  2. Create a new OU and name it SP2Upgrade, then move the computers you want to upgrade (e.g., Work1, Work2) into the SP2Upgrade OU.
  3. Assign the Windows Installer package update.msi, which contains all the information the Windows Installer service needs to install SP2 without user intervention, to the SP2Upgrade container.

The next time someone reboots Work1 or Work2 (or any other computer in the SP2Upgrade OU), the Windows Installer service automatically starts the SP2 upgrade. If you opt for this technique and you change your mind about upgrading a specific computer, move the computer out of the SP2Upgrade OU before you restart the computer.

The upgrade takes 10 to 20 minutes depending on the speed of the CPU, the amount of memory, and the amount of free disk space. You might want to inform your users before you implement the remote update so that they understand the reason for the long delay. After Windows Installer finishes the SP2 upgrade, users can log on as usual.

To verify that the SP2 upgrade was successful, right-click My Computer, select Properties, and look at the OS version on the General tab. Alternatively, you can run the Winver utility from a command prompt. The SP2 upgrade might fail if the machine has inadequate free disk space or a user powers off the machine after the upgrade starts. If SP2 fails, you can reschedule the upgrade by moving the computer out of the SP2Upgrade OU, then restarting the computer. Then, move the computer back into the SP2Upgrade OU and start the system a second time to begin the SP2 upgrade.

When to Reinstall SP2
In most cases, the Windows File Protection (WFP) feature in Win2K eliminates the need to reapply a service pack. You usually don't have to reinstall a Win2K service pack after you add or remove OS components or services. SP2 adds a second driver .cab file that contains all the drivers that Microsoft has modified since SP1. When you upgrade to SP2, the upgrade automatically updates all the loaded drivers. If you subsequently add a new hardware device, Win2K searches for the device driver in the updated driver catalog sp2.cab and installs the current version if one is available. If sp2.cab doesn't contain the correct driver, Win2K installs the driver from the original driver .cab file.

The main exception to this rule is when you repair a system with the Emergency Repair Disk (ERD) utility. If you repair files in the system root and you haven't updated the repair directory, the repair operation can overwrite SP2 files with files from an earlier version. To ensure that all OS components are the most current version, you might need to reinstall SP2 after you run the ERD.

Moving Forward
SP2 is a comprehensive update, but be aware that already more than 200 documented post-SP2 bugs exist. You can scan the current list of post-SP2 fixes at http://support.microsoft.com/support/servicepacks/windows/2000/win2000_post-sp2_hotfixes.asp. If you're planning a large-scale SP2 deployment, you might want to hold off until you identify post-SP2 problems, bugs, and security vulnerabilities that you need to include in a combination installation.

This furious pace of code fixes makes building and having confidence in a known baseline for workstation, server, and DC images extremely difficult. At least you have slipstream and combination installation techniques to help you manage the nonstop flow of updates to your production systems.