Businesses Slow To Deploy Windows XP SP2

With security vulnerabilities at an all-time high, you'd think IT departments would be rushing to deploy Microsoft's most-secure operating system, Windows XP Service Pack 2. Yet, eight months after its release, SP2 still accounts for only a small percentage of the operating systems in use on business PCs.

The latest evidence of SP2's slow uptake came in a report last week from AssetMetrix Inc., a service provider that helps companies analyze computing infrastructures. In a survey of 136,000 PCs at 251 North American companies, AssetMetrix found SP2 installed on only 9% of systems. "More companies are tending to hold back on SP2 than accept it as a standard," writes Steve O'Halloran, managing director of AssetMetrix Research Labs.

The findings are "in line" with Microsoft's expectations, a company spokesman says, explaining it can take up to 18 months for companies to test and plan large-scale rollouts of SP2.

Microsoft released SP2 in September as a security-bolstering upgrade to its 4-year-old Windows XP, and there have been more than 185 million downloads of the software since then. Business adoption of SP2 has lagged the consumer market as IT departments test it for compatibility with existing applications. A lack of the tools needed to do that didn't help. It wasn't until last month that Microsoft's Application Compatibility Toolkit 4.0 for SP2 became available.

Crutchfield Corp. is among the companies that have decided it's better to upgrade now. The consumer-electronics retailer is halfway through what's expected to be a seven-month-long upgrade to SP2. The company has about 560 Windows-based PCs spread among five Virginia locations. In addition to tightening security, a move to SP2 will force Crutchfield to "clean up" its application practices a bit, says Steve Weiskircher, director of IT and acting CIO.

Crutchfield uses approximately 350 applications, including internally developed apps for order-entry and -processing, warehouse-management, inventory, and general-ledger work. The challenge for the company's 18-person software-development team is to test all of those applications for SP2 compatibility before deploying it.

To expedite testing, Crutchfield is using Identify Software Ltd.'s AppSight Black Box technology, which creates a log during testing to help developers identify and address incompatibilities. "Our development staff was able to make very quick changes to our code to become SP2 compatible and run without incident or provide feedback to [independent software vendors] to make modifications as required," Weiskircher says.

Crutchfield tackled its largest department first, completing an upgrade of 250 PCs in the customer-contact center two weeks ago. It's testing warehouse-distribution applications now, with SP2 deployment planned for warehouse PCs in a few days. The plan is to have all PCs upgraded by the end of June.

A primary goal of the SP2 deployment was to rid the company's call-center PCs of spyware, which had become a problem because employees visit other Web sites when helping customers during calls. The upgrade also should make life easier for Crutchfield's small IT-support team. Instead of deploying patches to a variety of Windows versions, IT staffers will be able to focus on just one release, SP2. "Patchwise, it's considered a big win for our administrators," Weiskircher says.

The degree to which companies are prepared for SP2 could come into play April 12 when Microsoft disables a blocking tool that prevented SP2 downloads among PCs that use Windows' Automatic Update feature. When the blocking tool is disabled, SP2 will be automatically downloaded to those systems. Microsoft says fewer than 1% of enterprise customers should be affected by the change.