Before you upgrade to Windows 2000 Service Pack 3 (SP3), you need to do several things to prepare your systems: Identify, download, and create a procedure for installing security hotfixes; and upgrade Microsoft Internet Explorer (IE) to IE SP2.

Identify Security Updates. SP3 contains 35 security hotfixes, some dating as far back as 2000.These hotfixes represent only a subset of the hotfixes Microsoft published prior to the release of SP3. SP3 doesn't install 16 published hotfixes from 2002 or any security hotfixes dated later than Security Bulletin MS02-029 (release date July 2, 2002). If you delay installation for several months, you’ll need to compare the list of embedded security hotfixes (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/w2ksp3.asp) with installed hotfixes on systems you plan to upgrade and hotfixes after MS02-029. After you identify the hotfixes you'll need to install, you can incorporate them into a combination build directory or create a script to apply them after the SP3 upgrade finishes. The online list of security hotfixes that SP3 includes is located at The Hotfix Installation and Deployment Guide, which also describes several techniques you can use to install multiple hotfixes with only one reboot.

Update Internet Explorer. In SP3, you can hide IE, Microsoft Outlook, and Outlook Express, but you need the most recent version of IE’s mshtml.dll to do so without error. If you install SP3 on a system running IE 5.5 SP1 or earlier, IE generates an access violation in the module Mshtml.dll when you hide the application. To avoid the access violation, upgrade IE 5.5 to SP2 or to IE 6.0 before you apply SP3. I discuss a related problem in Known SP3 Problems below.

Microsoft no longer bundles security hotfixes for current IE versions in service packs (I suspect this is an outcome of the Department of Justice's—DOJ's—antitrust lawsuit). SP3 does include the security updates packaged in SP2 for IE 5.01, but applies no security hotfixes for IE 6.0 or 5.5. You can find a list of current security updates for IE 6.0 updates and for IE 5.5.

Expect a Long Delay Upgrading Print Servers to SP3
When you install Service Pack 3 (SP3) on a machine that has a large number of UNIDRV-based Printer CL (PCL) printer drivers, the server can spend up to 2 hours regenerating the binary driver files to increase spooler efficiency. While the parsing is in progress, the spooler won't accept incoming print jobs and might return a message to clients stating that the print queue is full. After this one-time task is complete, the spooler will accept and process print job requests as usual.

Known SP3 Problems
Terminal Services Client Print Issues. Reader Kevin Skinner reports that after upgrading Windows 2000 Server Terminal Services to Service Pack 3 (SP3), Terminal Services clients can no longer print to local printers. Skinner says, "Our clients have now lost the ability to print locally. Have you heard of this issue and any ideas on how to fix it? I have searched your site and Microsoft's sites and have seen others post the same question, but have seen no solution anywhere. "According to the rumor mill, Microsoft is aware of the problem and is working on a bug fix. You might find some hints in the Microsoft article "You Cannot Print to a Local Printer After Windows 2000 Service Pack 2 Is Installed".

Terminal Services clients might also experience intermittent problems when attempting to print a file that is hosted on a network share (but not a local document). If the user submits the print request using the mapped network drive letter, Terminal Services incorrectly appends the Universal Naming Convention (UNC) share name to the file, with the result that no document is actually printed. Users can work around this problem by referring to the document by UNC share name instead of the mapped drive letter. To permanently solve the problem, contact Microsoft Product Support Services (PSS) and ask for the Terminal Services bug fix that updates three files, printui.dll, winspool.drv, and winnotify.dll. The files have a release date of August 15. See the Microsoft article "Redirected Printing Through a Terminal Services Session May Not Work with Windows 2000 SP3,".

Blue Screen During Shutdown. If the redirector has a pending I/O request when you shut down an SP3 system, you might see a blue screen with a stop code of 0x000000CE from mrxsmb.sys. PSS has a bug fix for this problem that updates two files, mrxsmb.sys and rdbss.sys; and the files have a release date of August 23. For more information, see the Microsoft article "You Receive a 'Stop 0x000000CE' Error Message During Shutdown.

Profile Unload Error. In some cases, when a user changes printer definitions and then logs off, a handle leak prevents the system from updating the user’s profile. To confirm this problem, open the file %windir%\debug\usermode\userenv.log and look for references to MyRegUnLoadKey. Here’s a snippet of the messages I found in the logfile on my test system:

USERENV(e4.c8) 10:08:06:796 MyRegUnLoadKey: Hive unload for S-1-5-21-620241166-829637407-875454148-1027 failed due to open registry key. Windows will try unloading the registry hive once a second for the next 60 seconds (max).

USERENV(e4.c8) 10:09:06:882 MyRegUnLoadKey: Windows was not able to unload the registry hive.

USERENV(e4.c8) 10:09:06:882 MyRegUnLoadKey: Failed to unmount hive 5.

USERENV(e4.c8) 10:09:06:882 UnloadUserProfile: Didn't unload user profile .

USERENV(e4.c8) 10:09:06:882 DumpOpenRegistryHandle: 2 user registry Handles leaked from \Registry\User\S-1-5-21-620241166-829637407-875454148-1027.

The bug fix for the profile-unload error updates five files, local spl.dll, printui.dll, spoolss.dll, winspool.drv, and wlnotify.dll. All files have a release date of August 26. For more details, see the Microsoft article, "Your Profile Is Not Unloaded If You Change Printer Settings and Then Log Off".