Here’s the bad news—ugly, but predictable. Microsoft privately distributed a large number of post-Windows 2000 Service Pack 3 (SP3) code changes to selected customers before releasing SP3. Because Microsoft incorporated changes into SP3 after distributing the post-SP3 hotfixes, the original version of 59 post-SP3 hotfixes contain older file versions than those in the SP3 catalog. If you attempt to install the original version on a running SP3 system, file version conflicts might cause the hotfix install to fail or to function incorrectly. To guarantee a working OS, you need to obtain and reinstall the new improved version of each affected hotfix after you upgrade to SP3.

The post-SP3 patch problem affects hotfixes that Microsoft Product Support Services (PSS) distributed to customers between April 2, 2002, and July 29, 2002. If you have a support contract, you need to verify whether any of the 59 updates in the list below are installed on systems you plan to upgrade. Microsoft states that this problem applies only to privately distributed updates, and is not a concern for security hotfixes or updates posted at the Microsoft Download Center and WindowsUpdate. Microsoft also claims that SP3 setup will detect and warn you of hotfix conflicts during the "inspecting your system" phase of the upgrade. If you don’t get any such warnings during Setup, you can safely proceed. For more details, see the Microsoft article "Some Windows 2000 Hotfixes May Cause a Conflict with Service Pack 3 (SP3) for Windows 2000" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q309601.

You can use a variety of tools to list installed hotfixes, including the hotfix.exe utility, the SP3 version of update.exe, Qfecheck, Hfnetchk, and the Microsoft Baseline Security Analyzer (MBSA) tool. The fastest way to list hotfixes on the local system is to run the SP3 update.exe utility. Expand the service pack (w2ksp3.exe /x), open a command prompt and type

i386\update\update.exe /l

In a few seconds, the installer displays a pop-up window that itemizes installed hotfixes. You can generate an equivalent list using the hotfix.exe utility, which Microsoft embeds in most hotfixes. Simply expand a hotfix into its component files (Qxxxxxx /x) and type

hotfix.exe /l

at a command prompt. Hfnetchk, the improved version of Qfecheck, has an extensive command-line interface and is well documented in the Microsoft article "Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available," which you can read at http://support.microsoft.com/default.aspx?scid=kb;en-us;q303215. I prefer the MBSA because of the friendly GUI and report archiving features. With its custom version of Hfnetchk, MBSA is the fastest and easiest method for auditing hotfixes on multiple systems. You can audit systems by name, TCP/IP address or address range, and by domain membership and save the audit results permanently in a disk file. With a permanent record, you can easily compare before and after snapshots of system status, which is important for tracking progress and auditing the final results of your configuration activity.

Here are the 59 post-SP3 hotfixes, separated into appropriate categories:

13 Active Directory (AD) Hotfixes

  • Q288180 The ExitWindowsEx() Function May Not Log Off the User or Shut Down the Computer If the Computer is Locked
  • Q312827 An Incorrect Authentication Package Name May Appear in Audit Event 529
  • Q319672 Directory Service Access Audits for a SAM Object Server Have Incomplete Object Names
  • Q319709 An Access Violation Occurs in Lsass Because of a Stack Overflow
  • Q320099 A Security Policy Does Not Process Restricted Groups Correctly
  • Q320670 Event ID 528 May Not Be Logged If LsaLogonUser() Is Called
  • Q320711 Accessing Active Directory with LDAP by Using Sun JNDI Calls May Not Work
  • Q320903 Clients Cannot Log On by Using Kerberos over TCP
  • Q321217 You Receive an "Action Could Not Be Completed" Error Message When You Select Many Recipients in the Global Address List
  • Q321933 Services Are Not Listed in the Security Configuration and Analysis Snap-in
  • Q322175 You Must Restart the Computer After Joining a Domain with Service Pack 2
  • Q322842 A Lock Occurs Between Two Threads of System GDI in Windows 2000
  • Q324184 Access Violation in Lsass.exe Because of LDAP Version 2 Search with Referrals

3 Server Message Block (SMB) Redirector Hotfixes

  • Q318789 Redirector Does Not Cache Files When the SPARSE Attribute Is Set
  • Q319967 You Cannot Open a File That You Moved to a DFS Share
  • Q322019 Data Loss Occurs When You Copy Files Over the Network

4 Shell Hotfixes

  • Q265396 Slow Network Performance Occurs When You Select a File on a Share That Uses NTFS
  • Q321126 The "Look In" and "Save As" Boxes in Common Dialog Boxes Are Slow
  • Q322820 "Hide Specified Control Panel Applets" Policy Does Not Work in Windows 2000
  • Q323045 Access Violation Error Message in Explorer.exe

11 Kernel Hotfixes

  • Q302510 Stop 0x0000001e Error Message in Win32k.sys When Users Log Off Terminal Server
  • Q318365 Cannot Print a Large Paper Size at High Resolution
  • Q319965 Damaged Font Causes STOP 0x00000050 Error Message in the Win32k.sys File in Windows 2000
  • Q320667 Error Message on a Blue Screen During a Screen Refresh that Uses GDI Halftoning in Windows 2000
  • Q321343 The Computer Hangs If You Call LockWorkstation() While a Screen Saver Is Running
  • Q321781 STOP A in nt!KiAttachProcess+0x12 from win32k!PDEVOBJ::UnloadFontFile in Windows 2000
  • Q322913 WM_TIMER Messages May Stop Being Delivered to Programs in Windows 2000
  • Q310841 Cached FRS Data on an NTFS Volume Is Lost Under Stress
  • Q319931 Event ID 49 Entry Is Added to the System Event Log When You Use the 3GB Switch in Windows 2000
  • Q321771 You Receive a "Stop 0x51 (REGISTRY_ERROR) " Error Message
  • Q323608 The DisablePagingExecutive Setting May Cause Windows 2000 to Hang

3 Spooler Hotfixes

  • Q318152 Print Spooler Stops Scheduling Print Jobs
  • Q319370 You Cannot Print to a Local Printer After Windows 2000 Service Pack 2 Is Installed
  • Q320914 Problems Upgrading a User-Mode Print Driver By Using Point and Print in Windows 2000

2 IIS Hotfixes

  • Q323756 Redirection Response Contains Garbage Characters with Long URL
  • Q321561 Phantom Connection Count When Keep-Alive Connections Switch Host Header

23 Other Hotfixes

  • Q319915 The Back Button Is Available in the Domain Screen During Automated Setup
  • Q322934 The StgCreateDocFile() Function Causes an "STG_E_FILEALREADYEXISTS" Error in Windows 2000
  • Q263939 Disk Performance May Degrade Over Time
  • Q292053 Can Change Expired Password Without Authorization When Using IAS or RRAS in Windows 2000
  • Q307331 EnableTrace() Function Requires Trace Providers to be Registered Before Enabling Them
  • Q312571 The Event Log Stops Logging Events Before Reaching the Maximum Log Size
  • Q313494 Microsoft Cryptography API May Not Work If the Default CSP Has Been Set Incorrectly
  • Q318332 You Receive a "System Error 1230" Error Message When You Browse the Network
  • Q318871 Problems Transferring Highly Fragmented Packets in NDIS
  • Q318873 The PKI Dialog Box Appears Multiple Times If You Click Cancel
  • Q319725 SLIP Connections Broadcast NetBIOS Names When the Client Is Turned Off
  • Q320261 Terminal Services Performance Problems Occur Because Explorer.exe Maintains Instrumentation Data and Counters in the Registry
  • Q320661 You Cannot Take DFS Replica Members Offline
  • Q321036 Modem Settings Are Missing After You Remove and Re-Insert Your Modem
  • Q321733 A "Delayed Write Failed" Error Message Occurs When You Write a File to a Server
  • Q321793 "STOP 0x000000C2 BAD_POOL_CALLER" Error Message on a Cluster Node
  • Q321867 Windows NT 4.0 Usrmgr.exe Does Not Display an Error Message When You Change a Password to a Weak Password
  • Q322018 L2TP May Not Use the Default IP Address
  • Q322141 Ntfrs.exe Does Not Clean Up the Staging Folders on Members with no Outbound Partners in Windows 2000
  • Q322346 You Cannot Access Protected Data After You Change Your Password
  • Q324406 Printing to a Redirected LPT1 from Windows XP to Windows 2000 Prints Multiple Separator Pages
  • Q324574 Certificate Does Not Display the Ampersand (&) in a Company Name
  • Q324612 Plug and Play Devices Are Not Detected After You Restart Your Windows 2000-Based Computer