Businesses slow to move to SP2

Only a quarter of Windows XP corporate machines have been upgraded to Service Pack 2, study shows.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
Ina Fried
3 min read
Microsoft has urged businesses running Windows XP to upgrade their machines to take advantage of added security features, but only a quarter of XP corporate machines have been upgraded to Service Pack 2, according to a new study.

In a study of 136,000 corporate PCs, Canadian asset tracking firm AssetMetrix found that more than one-third of the computers were running Windows XP, but only 24 percent had installed the security-oriented Service Pack 2 upgrade.

Companies were initially reticent to jump to SP2 when it debuted last year, but the AssetMetrix study found that most companies weren't blocking SP2 entirely; they just had not upgraded in large numbers. Of the 207 companies that were using XP on at least 10 machines, about 40 percent were blocking SP2 universally. At the other extreme, about 8 percent had forced the SP2 on all XP-based machines as a matter of policy.

"Very few companies have drawn the line in the sand," said Steve O'Halloran, managing director of AssetMetrix Research Labs. "A good deal of the companies have a mixed environment."

Smaller companies were somewhat more likely to fully move to SP2, but in general most businesses tended to have it only on some sub-segment of their XP-based computers.

A Microsoft representative said the figures from AssetMetrix are in line with what the software maker had expected, noting that it anticipated deployment would take 12 to 18 months for many large companies.

The company said a survey it did late last year of 800 enterprise customers found that three-quarters of the businesses planned to deploy SP2 by the middle of this year. Among the companies Microsoft highlighted were Merrill Lynch, which plans to deploy SP2 across 50,000 desktops over the next several months and law firm Holland & Knight, which recently completed deployment of SP2 across all 3,500 desktops.

The report comes just as many businesses will suddenly find themselves with a lot more users of SP2. Until now, companies have been able to block computers from automatically downloading SP2 from Microsoft's server even as the machines continue to get other updates to Windows. However, as of April 12, that option will end and all XP computers that have Windows XP's automatic update feature enabled will receive SP2.

Microsoft first announced the SP2 blocking tool last August. A month later, Microsoft extended the grace period allowing customers to block SP2 through April 12.

AssetMetrix is recommending that companies test and deploy SP2 ahead of the April 12 deadline. In addition to the security benefits, O'Halloran noted that SP2 is likely to be the only version of XP that will be compatible with Microsoft's forthcoming Internet Explorer 7 and that support for Service Pack 1 is slated to end late next year.

But O'Halloran said that many companies either haven't established a formal policy toward SP2 or were not enforcing that position.

"We're noticing a lack of coherence between what people want to do and what people are doing."

Even after next week's deadline, companies can still choose to avoid SP2 by using either a Microsoft or third-party program to have updates gathered from a company's internal server, rather than directly downloaded from Microsoft.