In case you missed the news last week, Microsoft released Windows 2000 Service Pack 4 (SP4) on June 26. (Visit http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp for the complete details.) This upgrade contains 668 patches to the Win2K SP3 version, including 161 base OS updates, 78 Directory Service (DS) fixes, 42 Microsoft IIS/COM+ fixes, 9 setup fixes, 65 tweaks to management/administration tools, 3 Microsoft Data Access Components (MDAC) fixes, 22 message queuing fixes, 71 networking fixes, 27 updates to correct printing problems, 94 fixes that affect security, 50 shell fixes that improve how the GUI responds, 18 Win2K Server Terminal Services fixes, 13 program-compatibility patches that improve the execution of legacy applications, and 17 fixes classified as "other."
Service pack upgrades require more free disk space if you install them locally by using a CD-ROM or the SP4 download because you need space to store the expanded files. You also need more disk space when you create an uninstallation directory because the setup utility moves to the uninstallation folder all files that the installation replaces. I recommend you use an uninstallation directory, especially in the first few weeks of the release, until the upgrade proves satisfactory. To install Win2K SP4 on Win2K Professional, you need a maximum of 340MB for a local installation and 280MB of free space for a network installation. If you don't create an uninstallation directory, you need 165MB for a local installation and 105MB for a network installation. To upgrade Win2K server platforms, a local installation requires 410MB of free space, and a network installation requires 320MB of free space. If you don't create an uninstallation directory on server platforms, the space requirements are 190MB for a local installation and 105MB for a network installation.
Base OS Fixes
The base OS bug fixes include a major tune-up to file replication, which the Microsoft article "Improvements in the Post-Service Pack 3 Release of Ntfrs.exe" (http://support.microsoft.com/?kbid=811217) discusses; the most recent version (March 2003) of the redirector mrxsmb.sys and rdbss.sys; improvements to USB 1.0 device management and drivers for USB 2.0 Enhanced Host Controller Interface (EHCI) devices; and Ntbackup patches that eliminate erroneous tape-cleaning messages and improve the speed of backups when Physical Address Extension (PAE) is enabled. This category also eliminates 10 blue screens that occur in a variety of OS components, including a crash that occurs when you remove a USB hub or have an open CD-ROM drive during shutdown, blue screens that occur in the file system, and two failures that can occur during system shutdown.
In the DS group, Win2K SP4 includes the post-SP3 AD rollup hotfix that the Microsoft article "Windows 2000 Post-Service Pack 3 Active Directory Rollup Hotfix" (http://support.microsoft.com/?kbid=318533) discusses, numerous fixes to DNS, a blue screen that occurs during large file rename operations, and fixes for the Dcdiag utility. Several fixes eliminate bugs in password management, including the ability to enforce password complexity and the ability to log on immediately after a password has been changed.
IIS and COM+ Fixes
In the IIS/COM+ category, SP4 includes the post-SP3 COM+ hotfix rollup package 25 that the Microsoft article "INFO: Availability of Windows 2000 Post-Service Pack 3 COM+ Hotfix Rollup Package 25" (http://support.microsoft.com/?kbid=814886) discusses, fixes to SMTP and object handling, and the IIS cumulative patch described in Microsoft Security Bulletin MS03-018 (Cumulative Patch for Internet Information Service). As I discussed in last week's column (http://www.winnetmag.com/articles/index.cfm?articleid=39378), the IIS cumulative patch might introduce COM+ problems in some Active Server Pages (ASP) applications.
Several networking fixes eliminate bugs in VPN servers and clients: A VPN server running RAS and Network Address Translation (NAT) no longer crashes, XP SP1 clients can connect to a Win2K VPN server that operates as part of a cluster (instead of receiving the error Remote PPP peer is not responding), and clients can browse shares on a VPN server (instead of receiving System error 53: The network path was not found, or System error 64: The specified network name is no longer available). Other improvements of note: The timeout for an inaccessible file share has been reduced, so clients no longer wait for several minutes when attempting to browse an Open or Look In dialog box for a file share on a system that's not available; also, the printing subsystem got a major cleanup (the spooler service no longer crashes or causes the kernel component Win32k.sys to fail).
SP4 installs 7 of the 22 Win2K hotfixes Microsoft has released since January 2003, plus several security updates from 2002. To assist you in auditing your systems, I'm including a list of the Microsoft article numbers and related security bulletins for the 2003 security hotfixes included in SP4. If you've installed other 2003 hotfixes, you'll need to build an integrated installation to embed the more recent hotfixes into new system images.
• "MSO3-001: Unchecked Buffer in the Locator Service Might Permit Code to Run" (http://support.microsoft.com/?kbid=810833); Microsoft Security Bulletin MS03-001
• "MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise" (http://support.microsoft.com/?kbid=815021); Microsoft Security Bulletin MS03-007
• "MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks" (http://support.microsoft.com/?kbid=331953); Microsoft Security Bulletin MS03-010
• "MS03-013: Buffer Overrun in Windows Kernel Message Handling Could Lead to Elevated Privileges" (http://support.microsoft.com/?kbid=811493); Microsoft Security Bulletin MS03-013
• "MS03-015: April, 2003, Cumulative Patch for Internet Explorer" (http://support.microsoft.com/?kbid=813489); Microsoft Security Bulletin MS03-015
• "MS03-018: May 2003 Cumulative Patch for Internet Information Services (IIS)" at http://support.microsoft.com/?kbid=811114; Microsoft Security Bulletin MS03-18
• "MS03-019 Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service" (http://support.microsoft.com/?kbid=817772); Microsoft Security Bulletin MS03-019
Keep in mind that the June 3 cumulative patch for IE supersedes the patch in Microsoft Security Bulletin MS03-015. See Microsoft Security Bulletin MS03-020 (Cumulative Patch for Internet Explorer) for details. Although the file-protection feature should prevent downgrading of files to earlier versions, I suggest you test this theory before you roll out SP4 to production systems.
Known Problems with SP4
Win2K SP4 has the following known problems and concerns that you should be aware of.
• Microsoft Internet Explorer (IE): As with Win2K SP3, SP4 has IE problems that control whether SP4 appears in the Add/Remove Programs Control Panel applet. If you install SP4, then install IE, SP4 doesn't appear in the Add/Remove Programs list. If this happens and you want to remove SP4, you need to go to the Spuninstall directory and manually run the spuninst.exe utility.
• Hotfix conflicts: Microsoft has released 33 hotfixes to selected customers, and these hotfixes aren't compatible with Win2K SP4. Although these hotfixes don't prevent installation of SP4, you must install the new post-SP4 version to ensure the hotfix functions properly. SP4's setup utility is aware of all 33 hotfixes, won't install service pack files that conflict with files in any of these hotfixes, and will warn you that you need to install the updated versions. You'll find a list of the hotfixes you need to update in the Microsoft article "Some Windows 2000 Hotfixes May Cause a Conflict with Service Pack 4 for Windows 2000" (http://support.microsoft.com/?kbid=822384). The post-SP4 versions are available from Microsoft Product Support Services (PSS).
• Symantec's Norton Personal Firewall and Norton Internet Security 2001: SP4 is incompatible with both security products. If you install SP4 on a system running either of these utilities, IE times out when you browse a Web page, and Microsoft NetMeeting might take several minutes to accept incoming calls. Symantec has updates for both products that eliminate these incompatibilities.