Most firms face security 'red alert' as XP SP2's retirement looms

77% of organizations run the almost-obsolete OS on 10% or more of their PCs, says survey

Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP Service Pack 2 (SP2), a report published today claimed.

Toronto-based technology systems and services provider Softchoice Corp. reports that 77% of the organizations it surveyed are running Windows XP SP2 on 10% or more of their PCs. Nearly 46% of the 280,000 business computers Softchoice analyzed rely on the aged operating system.

"This is a red alert," said Dean Williams, services development manager at Softchoice. "This isn't something you can safely ignore, like you might have before."

Williams was referring to the impending end-of-support deadline that Microsoft Corp. has set for Windows XP SP2, a service pack that debuted in the fall of 2004. After July 13, Microsoft will stop issuing security updates for SP2, a move that has users scrambling to update to Windows XP SP3, which will be supported until April 2014.

"Windows XP SP2 is deployed in 100% of the companies [surveyed] to some extent," said Williams. "But that doesn't tell the whole story. On average, 36% of the PCs in every organization run SP2."

Softchoice obtained its data from customers of its IT assessment services, which include asset, hardware life cycle and licensing management. It analyzed 278,000 PCs in 117 U.S. and Canadian organizations in education and the financial, health care and manufacturing industries. The firm weighted the number of XP SP2 systems in each polled organization to arrive at the average usage mark of 36%.

Most companies have work to do, Williams said, citing the 10% threshold of Windows XP SP2 systems. "It's unrealistic to expect them to execute a deployment of Windows 7 in the next three weeks," he said. "But they should determine who is affected and get them updated to Windows XP SP3 immediately."

Windows XP SP3, which Microsoft released in May 2008, is available as a free upgrade to all Windows XP users. Microsoft has promised to support XP SP3 with security updates until April 8, 2014.

Softchoice's data is similar to numbers produced last month by Qualys Inc., which said that approximately half of all enterprise PCs running some version of XP were using SP2.

According to Web metrics company Net Applications, 62.5% of all personal computers worldwide ran Windows XP in May. Net Applications has tracked an 11-point drop in XP's usage share in the past 12 months.

Williams expects that number to fall even faster with Windows XP SP2's retirement. "This represents the death knell of XP," he said. "[SP3] is only a stay of execution."

Williams urged users and companies still running XP SP2 to update immediately, and he said there's little risk in doing so. While enterprises may have put off deploying XP SP2 shortly after it launched in 2004 -- in large part because it was a major overhaul of the operating system -- XP SP3 is essentially just a collection of already-released fixes and patches.

"There's no compelling reason to delay the move to SP3," Williams said.

Microsoft has been beating the same drum, reminding users each month's Patch Tuesday of the looming retirement. In April, the company also made minor concessions on Windows XP SP2 support, announcing that it would take calls from customers running outdated service packs, such as SP2. Previously, it turned those people away.

Windows XP SP3 can be downloaded at Microsoft's Web site. It can also be obtained via XP SP2 PCs through the Windows Update service.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies