The Washington Post’s Rob Pegoraro calls SP2 a Must For XP Users:

Individual Windows users bear the same responsibility: If you run XP, you need to install SP2. Period. Loading a system update this big is never risk-free, but the far bigger risk is to keep stumbling along with an unpatched copy of Windows XP. Ask a computer-savvy friend to install it if you must. But don’t wait for the viruses and worms to stop coming. They won’t.

Generally accurate and a well-balanced view.

Leo Nelson has 10 FALs (Frequently Asked Links) on Windows XP Service Pack 2.

FAL? That’s a new one on me! The links are useful, though.

Note to Leo: The page looks fine in IE, but it looks just awful in Firefox. Ironic, given the Word of Firefox logo on Leo’s blog.

(via Scoble)

According to security expert Dana Epp, Windows XP SP2 no longer supports “raw sockets”:

Ok, now this just sucks.

One of the ‘security additions’ added to XP SP2 is the fact that raw sockets are no longer available. Result? Tools like nmap no longer work in their current form.

The reason from Microsoft. ‘Only attack tools seem to use raw sockets’.

ARG!!!!!!!!!!!

So be forewarned. If you upgrade to SP2, you will lose access to nmap. Now I got a valid reason for keeping my other Linux box around 😉

In this white paper, Microsoft explains:

A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

• TCP data cannot be sent over raw sockets.
• UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.

Dana’s credentials are impeccable, and his complaint that SP2 breaks some legitimate security tools is an important one. At the risk of opening an old battle… Steve Gibson made a giant fuss over this topic in 2001, claiming that access to raw sockets is “clearly dangerous.” Not everyone agreed with Steve, and I haven’t heard much on the topic since that fuss died down three years ago.

In fact, even though this change was announced months ago and has been part of SP2 throughout its beta, we’ve heard very little about it. Funny.

A note to new arrivals: This is one of the most popular pages on this site, for some reason. At any rate, if you came here looking for links to download SP2, try this one (or this one, if you prefer a simpler approach). The following is the original post that occupied this page.

This is dumb. Really dumb.

BBC News reports that File-sharers are offering SP2 over BitTorrent, a peer-to-peer file-sharing system.

File-sharing activists are using Microsoft’s key update for Windows XP to highlight the benefits of peer-to-peer technology.

A lobby group called Downhill Battle has set up a link using file-sharing software to distribute the SP2 update.

Microsoft told BBC News Online it was investigating the site.

Where do I begin? First, never download executable programs (including operating system patches) from untrusted sources. Never never never. I use BitTorrent regularly to download legal live music performances by my favorite “taper friendly” bands. But I would never (never never never) use it to download an executable program that could contain a virus or a Trojan horse program.

Second, the bits are already available on a legitimate high-bandwidth connection and as a low-speed download via Automatic Updates. BitTorrent is a great way of sharing files that aren’t available on an FTP server, but it’s a pointless waste when the files are already available to any and all comers with no restrictions.

Like I said, this is just plain dumb.

[Thanks to TechDirt for the pointer.]

Update: BitTorrent is a marvelous tool and a great way to share files over distributed networks. However, it isn’t necessary when the file in question is already available via a fast, readily available public server, as SP2 is. So if you came here looking for information about getting SP2 via BitTorrent, leave a comment and tell me why.

Samson Joe sends along an excellent question:

How big is the SP2 file and how long will it take for me to install it using a dial up connection? When I downloaded SP1, it took me about 2 hrs. If I have my PC set to auto updates and the SP2 starts to download in background while I’m doing other stuff, when I get off the PC and the downloading is not complete, does the download start all over from the beginning when I get back on my PC? or does it continue where the downloading got left off?

The SP2 file you get through Automatic Updates will be roughly 70MB in size (maybe a bit more, depending on your Windows version). That’s significantly less than the full network installation of 266MB. If you already had the RC2 beta of SP2 installed, the download will be about 30MB.

The download uses the Background Intelligent Transfer Service (BITS), which takes advantage of unused bandwidth on your Internet connection. It’s been a long time since I used a dial-up connection for any serious file downloads. But as I recall, a 56K connection at full speed can typically pull down a 1MB file in about 10 minutes. Extrapolating from that, I would expect it to take at least 12-15 hours for SP2 to appear via Automatic Downloads. You can decrease your wait by leaving your dial-up connection on when you’re not using your computer and by avoiding other high-bandwidth tasks when you see that Automatic Updates is downloading the file (there should be an icon in your Notification Area, aka the system tray, that alerts you to this).

Although I haven’t seen it in operation, I have been told that Automatic Updates does indeed cache the files as it goes. So if you shut down your system or disconnect from the Internet partway through, the download will resume at the point where you left off when you return.

Dwight Silverman of the Houston Chronicle has an excellent Windows XP SP2 guide. His conclusion: “Although downloading and installing an upgrade of the magnitude of Windows XP SP2 is not trivial, it’s worth it. The result will be improved peace of mind, and using the Net may actually be a pleasure again.”

The usual suspects are out with scare stories on SP2 breaking things. The Inquirer, for instance, has this scary headline: Teething troubles hit Windows XP SP2. “A number of people are having problems after they’ve installed service pack 2 of Windows XP.” Gee, imagine that. The details are, not so remarkably, lacking. “A number”? Care to be more specific?

IT World has a whole package of stories that pooh-pooh the upgrade, including this one: ITworld.com – Users report SP2 breaks their applications.

Because of the extensive changes that Service Pack 2 includes, the software giant has urged developers and IT professionals to test the update thoroughly. However, “it just seems that Microsoft doesn’t quite understand how difficult this is to do,” said Bill Lewkowski, CIO at Metropolitan Health, a company with 1,300 users recently migrated to Windows XP with SP1. “We can’t do unplanned, unbudgeted service pack releases that are very similar to putting in a whole new version of an operating system,” said Lewkowski. “I’m frustrated with Microsoft.”

Yeah, that darn Microsoft. They just don’t know how to test software. Poor Bill must have missed the gazillion or so stories announcing the public beta test of SP2, which has been available for public download and testing for months. Most corporations with 1000-plus users could easily qualify for special testing privileges, and those that are truly forward thinking have been doing so. The rest are busy whining to reporters about the released product.

The Seattle Post-Intelligencer has nice round-up of other reviews on its excellent Microsoft Blog.

Bottom line: If you’re a home user, get SP2. You’ll thank me. I assume you’re smart enough to do regular backups and that I don’t need to remind you about that. If you’re running a corporate network, you obviously want to do your own testing first, and you don’t want your users randomly installing operating system upgrades. If you aren’t prepared for this, you need to talk with your IT staff.

The full English-language version of Windows XP Service Pack 2 (“for IT Professionals and Developers”) is now available for download. It’s huge — 266 MB, so make sure you have a fast connection to get it. This includes every update for every version of Windows XP.

If you have a slower connection, turn on Automatic Updates or wait for the Windows Update version, which will tailor itself to your exact installation.

Go get it!

835935 – Release notes for Windows XP Service Pack 2

Good reading while you wait for the downloads.

The official notice: Microsoft Releases Windows XP Service Pack 2 with Advanced Security Technologies to Computer Manufacturers:

Microsoft Corp. today announced the release to manufacturing of Windows® XP Service Pack 2 with Advanced Security Technologies. This free service pack delivers the latest security updates and innovations from Microsoft, establishes strong default security settings, and adds new proactive protection features that will help better safeguard computers from hackers, viruses and other security risks.

If you have Automatic Updats turned on, the service pack bits will download automatically to your computer beginning in a few days. This download will consume between 75 and 95 MB of disk space, depending on your Windows version.. When the download is complete, it will launch automatically, although it won’t do so in the background.

At some point before the end of this month, you’ll be able to download a full SP2 package that you can burn to CD. This download will be significantly larger–probably in the 270MB range. You can also order a CD from Microsoft.

As before, if you have any questions, send me a note. I’ll answer as many questions as I can here.

PS: Microsoft says they expect to deliver 100 million copies of SP2 through Automatic Updates in the next few months. Wow.

No Windows XP SP2 yet. Apparently there was a last-minute glitch that needed to be fixed.

Meanwhile, I recommend you check your Automatic Update settings, and make sure it’s set to automatically download all Critical Updates. Windows XP will automatically download this big update in the background, without disturbing your work.