Microsoft released a comprehensive security update for Windows 2000 post-Service Pack 2 (SP2) systems on January 30. Security Rollup Package 1 (SRP1), which you can install only on Win2K SP2 systems, includes every security hotfix Microsoft has issued for post-SP2 systems, except the Web Distributed Authoring and Versioning (WebDAV) script hotfix I discuss below. SRP1 contains 21 hotfixes from 2001 and a new 2002 arrival that closes a forged SID loophole (see Security Bulletin MS02-001 for more information about this loophole). Because the rollup package installs 22 security hotfixes in one operation, it’s a great timesaver for those of you who haven't kept your systems current. If you’re creating new systems, you can put all 22 hotfixes in one slipstream directory and easily install the most recent and secure version of the OS from that directory. You can download SRP1 from the Microsoft Web site.
Select Network Installation to download a full copy of the rollup for offline upgrades. The offline download file, w2ksp2srp1.exe, which is 16.2MB and expands to 39MB, includes 191 files plus the update folder and files that install the rollup. If you want to perform an online update, select the Express Installation option. If you've already installed all the hotfixes your system needs, you can safely skip the rollup. If, as I anticipate, Microsoft releases SP3 soon, SP3 likely will include all the security rollup's fixes.
Remember that you must log on as an Administrator to upgrade an OS. You might need to disable any antivirus software before you start the procedure. In addition, make sure that you have adequate disk space and a reliable Internet connection for the Express Installation.
I had no trouble upgrading a Win2K Server SP2 machine using the network install file I downloaded. Likewise, I successfully upgraded my basic Win2K Professional SP2 system using the online Express Install. I suspect that the upgrades went smoothly because I hadn't installed hotfixes on either test system, an unlikely scenario for most production systems. Reader Claus Jensen didn't have similar success with the Express Install. According to Jensen, when he tried to install the package on two separate Win2K Pro PCs, the machines locked up several times during the installation phase.
After hearing about Jensen's experience, I researched the SRP1 documentation to try to identify potential potholes. In its infinite and incomprehensible wisdom, Microsoft has given us an update that contains a version-number conflict. The rollup repackages the Win2K Server Terminal Services hotfix that Security Bulletin MS01-052 documents, but, sadly, the file versions in SRP1 are older than the file version numbers in the standalone hotfix. The release notes in Microsoft article Q315683 document the file version discrepancies between the original MS01-052 security hotfix and SRP1 as follows:
If you try to overwrite a more recent file with an older file, Winstall will balk and might wreak havoc on your system. If you've already installed MS01-052, I strongly recommend that you remove that hotfix before you perform either a local or online SRP1 upgrade. I suspect that this file-version discrepancy might be one possible cause of Jensend's lockups. When you update security hotfixes online, the online code might install every security hotfix, including MS01-052—whether your system needs it or not. Post your SRP1 experiences—specifically, any problems you encounter and, whenever possible, the solutions—as comments in response to this article.
Some other important SRP1 problems include the following:
- SRP1 doesn't include the WebDAV script security hotfix, an update that closes a gaping scripting hole. I suspect that the rollup doesn't include WebDAV because WebDAV ships with the alternate installer, MSDAIPP, not hotfix.exe. To keep a vulnerable system current, you should also install the standalone WebDAV hotfix. You can read about the WebDAV vulnerability in Microsoft article Q296441.
- If you upgrade Internet Explorer (IE) after installing SRP1, you need to uninstall IE before you uninstall SRP1. Also, if you upgrade IE twice after installing this package, the SRP1 uninstall is no longer available. Here’s another packaging problem that should have been handled prior to the rollup’s release.
- As with most service packs, you’ll need to reinstall SRP1 after you add, reconfigure, or remove OS components or services.