I spend a lot of time reading what other people have to say about Windows. Through the years, I’ve found that a lot of the most common advice from so-called Windows experts is misleading or flat-out wrong. In Windows XP Inside Out, Second Edition, Carl, Craig, and I directly addressed many of these myths in sections entitled “Reality Check.” (You might be surprised by the number of myths we shatter in this book!)
One of the most common rants I’ve read lately is from experts advising experienced Windows XP users to turn off Automatic Updates and handle the job of patching Windows by downloading updates directly. This is a Very Bad idea. Here’s why.
After my recent post on overcoming SP2 problems, I received an e-mail message from an old friend who works on the Windows team. He makes a good case for why every Windows user should have Automatic Updates turned on.
By way of background, the two most common killer problems that afflict SP2 are caused by (1) a piece of rogue software called TVMedia, which causes a blue-screen (STOP) error when you restart your computer after installing SP2l; and (2) an outdated BIOS on a computer running a Pentium 4 chip based on Prescott C-0 processor stepping, which causes your computer to hang when you restart after installing SP2.
It’s important to note in both cases that the problem is external. The real solution is updating your BIOS or getting rid of the spyware, but that’s cold comfort when your computer has stopped working and trying to install SP2 was the last thing you did.
OK, Microsoft identified these problems within a very short time after releasing SP2 to the world and came up with fixes to prevent the blue-screen errors and hangs. I’ll let my friend at Microsoft explain what happened:
Windows Update (WU) and Automatic Update (AU) can detect a machines configuration (regkeys and files installed) which is how we know when to offer specific security updates, when they have been installed, etc. (privacy note: WU downloads a blob of data that describes the fixes available and their respective requirements and the local machine actually scans itself, its not scanned by the server.) As soon as we became aware of these two issues in August, we immediately put “safety blocks” on WU and AU so that SP2 would not be offered to anyone with either of the two conditions you note, and documented it in a KB article.
Then, as we developed, tested and signed off on the specific fixes later, we then posted those fixes on WU/AU, and modified the detection logic. Thus, if a customer has tvmedia or the problematic Pentium chips, the updates are offered up front, instead of SP2. Once they are installed where needed, SP2 shows up via WU or AU. So a simple test is to go to Windows Update if you see SP2, then you dont have an issue. If you dont see SP2, but see one of these two packages, install it and then go back to WU. For the AU customer, this will happen automatically on the first day, the updates are installed, and on the next day, SP2 starts downloading.
Each of these updates is only offered to machines that needs them, not to the general population. This is one of the reasons we encourage average users to install SP2 via WU/AU, in addition to the download size savings.
Ironically, the people who have Windows Update and Automatic Update disabled are MOST likely to be bit by this issue. The nightmare scenario, in fact, is for an expert user to try to outsmart the system by downloading SP2 directly and then installing it manually. If you try to do this on a system that is afflicted with either of these problems, and you didn’t install one of the two patches designed to prevent the problem, the results will be ugly.
For those who prefer to be conservative about patches, it is easy to configure Automatic Update so that it downloads any necessary patches but doesn’t automatically install them. Instead, you get a notification in the taskbar alerting you that new patches are available. Click the icon to see the full list, read all the details, and decide for yourself whether you want to install them.
Ed Bott 
I completely agree. People who are conservative and don’t have automatic patching turned on need to realize they are far far more likely to have a system that’s been compromised than to have a system broken by a patch that breaks their system.
You closed comments on your entry about SP2 and BitTorrent: http://www.edbott.com/weblog/archives/000183.html (wish I’d known that before I my quick comment turned into a much longer one)
…and you suggested posting them instead to a newer thread. So with apologies for the off-topicity (whee, fun new word), here goes:
Microsoft WAS overloaded with SP2 downloads. I don’t know if it was server load or bandwidth, but it took me a full day’s effort just to get it started, and about three days to complete (on a T1). I saw many other reports of the same problem too, so it wasn’t just me.
This is exactly where BitTorrent would have been great, especially if Microsoft itself had offered it that way. (As a file-delivery mechanism, BitTorrent scales MUCH better than HTTP or even FTP.)
In the absence of Microsoft offering it that way, I’d rather at least have the option of doing my own detective work and deciding whether to trust a third-party from whom I CAN download it when I want to.
In this case, I happened to trust Downhill Battle, partially because they openly offered the MD5 hash information as evidence of authenticity, and moreso because the file itself was digitally signed by Microsoft.
For that matter, there are plenty of “traditional” 3rd-party download sites which are trustworthy (e.g. CNet/ZDnet, Snapfiles, Majorgeeks, TuCows), and I’ve never heard the same stink about downloading from them. I think the “peer” factor to BitTorrent is the difference, and people are used to not trusting other peer-to-peer networks. That’s why MD5 hashes and the like are handy (the BitTorrent protocol ensures that what you download is the same thing intended by the original seeder).
So I don’t think it’s necessarily stupid, as you do. It IS stupid to download from an untrusted source though, but it’s pure laziness which makes people skip the due investigation of that source and trust without cause.
Sorry about closing those comments. Unfortunately, I was getting slammed with comment spam, and that is a very popular thread.
You make an interesting argument. Two responses:
The problems with the download site were transient and predictable. There was a phased rollout of the download anyway, so waiting a couple days was no big deal. Also, most BitTorrents deliver content at a relatively slow bit rate. In my experience, speeds are typically about 5% or less of what a full-speed download from an authorized site would be. So you could literally wait a day or two for the site to come back up and still be able to download it faster than you would have done with a BitTorrent.
I understand that third parties distribute software for shareware publishers. But security patches and software have a very high risk associated with them. Can you point to a single maker of security software that makes patches/updates available through anything other than an official source? If you were Microsoft, how would you cope with support calls where the support person has to ask, “Where did you download the patch from?” and one of the possible sources is an untraceable BitTorrent stream?
Ed
Sometimes waiting a few days isn’t an option.
In my experience, a highly-popular BitTorrent download is way faster than a highly-popular traditional download (since BitTorrent is cooperative instead of competitive). Granted, though, that trend decreases the less popular a download is.
I can’t see what it matters where the download has been, when you can verify its authenticity via its digital signature.
However, I do see the question arising: “was the download digitally signed?” and many people not knowing or understanding how they would have checked. (Coincidentally SP2 is louder about digital signatures in the UI for this reason). It was probably easier for Microsoft to just attack the 3rd-party source than to educate users on this issue right now.
Better would be for Microsoft to offer future monolithic/highly-popular downloads via BitTorrent themselves. No need for their own BitTorrent client, mind you, they could just support it on the server side (much as they’ve done with RSS, for which they have no real client-side support yet).
If Microsoft did BitTorrent, 3rd-party sites like Downhill Battle wouldn’t feel the need to, nor would anyone want to use them.
Good post. Is the automatic update on or off by default? In other words, when you get windows how is it before changing anything?
When you install SP2, you are prompted to turn on Automatic Updates.The text strongly urges you to turn it on, although you get to make the choice.
Sorry to post this related but naïve question : I decided to trust Microsoft patches a long time ago and set automatic updates to “on” from the first days. I discovered lately that not only something had turned my automatic update to “notify me” but also that this something had grayed the whole automatic updates dialog box, making it impossible for me to switch back to automatic updates “on”. Any help would be appreciated.