SP2 sent the message that Microsoft was very serious about security. It added new security functionality to XP--an enhanced firewall that was enabled by default, support for the NX bit used by processors to control buffer overflows, and elimination of raw socket support--and strengthened e-mail and browser security.
Microsoft's postponement of SP3 sends the opposite message. Lately, whatever the question a Microsoft customer might ask, the answer has been "Upgrade." With support for Windows versions 98, ME, and 2000 now a thing of the past, if you want a more secure version of Internet Explorer, how do you get it? Upgrade to XP. Now it appears that with Vista on the horizon, the sun is setting even for XP.
One user, in a comment posted to Neowin.net's story on the delay, pointed out that anyone who installs (or reinstalls) XP then has to follow up with two major software updates (Windows Installer and Windows Genuine Advantage) and 73 critical updates.
I wonder what percentage of XP machines are fully patched. Microsoft estimates that 75 to 80% of home PCs are running XP. I think that number is high by as much as 15 or 20 percentage points, but whatever the actual figure, it's going to take at least five years for Vista to reach that level. Postponing support for XP with SP3 isn't the right answer. XP is going to be around for a long time, regardless of what Microsoft's "lifecycle support" timetable may say. If Microsoft is as serious about security as the company says it is, we need SP3 sooner rather than later.