What’s New in SP2
All told, Windows 2000 Service Pack 2 (SP2) includes 549 documented updates—and I highly suspect that the service pack includes a few undocumented updates as well. SP2 updates fall into 15 categories:

  • Application compatibility: Components that enable legacy software applications (e.g., 16-bit DOS programs) to run properly (7 fixes).
  • Base OS: Core OS components, including heap fragmentation, startup files, drivers, NTFS, memory leaks, NT Backup, DVD, Dfs (105 fixes).
  • Directory Services: Active Directory (AD) functionality, AD replication, domain controller (DC) roles, DNS, client logon, Local Security Authority Service (LSASS) (73 fixes).
  • Microsoft IIS; COM+: IIS 5.0 and supporting object functionality (44 fixes).
  • Mail: SMTP, Exchange interoperability (18 fixes).
  • Management/administration: Administration tools, Microsoft Management Console (MMC), Group Policy, Windows Management Interface (WMI), logon scripts, Windows Installer, user profiles (54 fixes).
  • Microsoft Data Access Components (MDAC): ADO, Extensible Storage Engine (ESE), ODBC (10 fixes).
  • Microsoft Message Queue Server (MSMQ): Message queue functionality (3 fixes)
  • Networking: Browser, BOOTP, RRAS, DHCP, NetMon, Network Load Balancing (NLB), WINS, Quality of Service (QoS), Network Address Translation (NAT), Internet Group Management Protocol (IGMP), Internet Control Message Protocol (ICMP) (86 fixes).
  • Other: Document indexing, Index Server, logon banner (8 fixes).
  • Printing: Gateway Service for NetWare (GSNW), Client Services for NetWare (CSNW), third-party fonts, print jobs, print drivers, PostScript (16 fixes)
  • Security: Security issues and vulnerabilities in Active Server Pages (ASP) scripting, Telnet DoS, DNS, Server Gated Cryptography (SGC) remote procedure call (RPC) service, ACLs, Netmon, Microsoft IIS, and the registry (60 fixes).
  • Setup: Setup, Sysprep, unattended installs, file versioning, Microsoft FrontPage, Win2K Server Terminal Services client (20 fixes).
  • Shell: Numerous desktop issues, including a win32k.sys blue screen and fixes for Hungarian, Spanish, and UK versions (33 fixes).
  • Terminal Services: Terminal Services server and client corrections (12 fixes)

As I mentioned last week, SP2 includes bug fixes only; the service pack doesn't provide any new features or functionality.

Despite SP2's comprehensiveness, Microsoft has already documented 157 post-SP2 bugs. If you plan a large-scale SP2 deployment, you might want to hold off until you identify the critical post-SP2 updates that you want to include in your new images. When new bugs arise at such a furious pace, it's extremely difficult to define and have confidence in a known baseline for DC, server, and workstation images. Each time we seem to have a well-defined starting point, a new crop of problems surfaces that demand immediate attention. I'll have more about post-SP2 bugs and fixes next week.

If you opt to download the full network installation version of SP2 (instead of ordering the SP2 CD-ROM), be sure to download the SP2 Support Tools update and the Installation and Deployment Guide as well. The Support Tools download contains bug fixes for six popular utilities: netdom.exe, nltest.exe, dnscmd.exe, netdiag.exe, dcdiag.exe, and dfsutil.exe. The Installation and Deployment Guide documents procedures you can follow to roll out SP2 using several methods, including a standalone upgrade, an SMS-based rollout, a Winstall upgrade, and a combination upgrade. The SP2 CD-ROM includes these updates. See the Microsoft SP2 Web site for more information.

I upgraded two Win2K Professional systems by creating an AD installation package and assigning it to an SP2 Update organizational unit (OU) that contained the Win2K Pro machines. When I booted the SP2 OU systems, they immediately started the SP2 installation from a shared network folder. Both systems completed the SP2 update and restarted successfully. When this procedure works, it’s both painless and amazing.

SP2 Upgrades and Firewall Software
If you upgrade a system running BlackIce Defender to Windows 2000 Service Pack 2 (SP2) without first installing BlackIce's SP2 fix, you might disable the firewall's packet filters. You must download and install the BlackIce patch before you upgrade to SP2 to avoid filter problems. Download the patch for Win2K Server and Win2K Professional from the BlackIce Web site.

I experienced a similar problem when I interactively upgraded a Win2K Advanced Server system running Symantec’s Internet Security software. It’s common knowledge that you should disable a virus scanner before you install a service pack. I recommend you also disable any running firewall software before you start an SP2 upgrade. I disabled Norton’s Internet Security software and installed SP2, but when I restarted the SP2 system, the firewall didn't work. I didn’t take the time to diagnose the problem, but I was able to restore the firewall functionality by reinstalling the software.

SP2 File Replication Service Improvements
Windows 2000 Service Pack 2 (SP2) includes several File Replication Service (FRS) enhancements that improve scalability and supportability in large domains. The code fixes implement more reliable communications on a network where a hub site is connected to many branch sites through slow (e.g., 64KB) links. SP2 also eliminates several known problems that Microsoft article Q272567 (http://support.microsoft.com/support/kb/articles/Q272/5/67.asp) documents, implements enhanced FRS event logging, and installs an improved version of the ntfrsutl.exe diagnostic and troubleshooting utility.

SP2 ISA Improvements
Windows 2000 Service Pack 2 (SP2) corrects two known issues in Internet Security and Acceleration (ISA) Server 2000's (ISA Server 2000's) Quality of Service (QoS) packet scheduler. The packet scheduler now includes forwarded IP packets in the QoS filter and flow algorithm, which lets ISA Server manage both local and routed network packets in its QoS algorithm. The packet scheduler also correctly calculates the packet checksum for network traffic that a network adapter (one that supports hardware-calculated checksums) processes. SP2 also corrects a known problem that leaves many open sockets when the client reaches a high open-and-close connection rate (i.e., about 600 connections per second).