Microsoft Corp. did yet another turn-about on Tuesday and opened the newest version of Windows XP SP3 to the public. It's not final, this last service pack, but it's close.
And it's the first time since December that any XP user has been able to take a peek at SP3.
So although Computerworld's resident Windows guru Preston Gralla warned everyone to be ready to be underwhelmed, we're betting that interest in Windows XP Service Pack 3 Release Candidate 2 will be high.
Why? Because as Vista has stumbled, XP has gained new respect. More than one user has already sworn online that he'll give up XP only when someone pries the install disc from his cold, dead hands. Others have announced plans to stockpile XP when it drops off the retail sales list June 30.
So, what's XP SP3 all about? We thought you'd ask that, so here are a few answers to tide you over now. When the upgrade goes final, we'll follow up with more.
What exactly has Microsoft handed over? Dubbed Service Pack 3, v.3311 once it's installed, Microsoft says that this is SP3 RC2 (for Release Candidate 2). By all indications, it's the same build as the one seeded to the closed-set of 15,000 beta testers about two weeks ago, on Feb. 7.
Where do I get it? Unlike the only other time that XP SP3 was offered to all comers, it's not posted on Download Center as a manual download. Instead, SP3 RC2 is delivered via Windows Update (WU), Microsoft's primary security patch, hotfix and catch-all update service.
To pull SP3 RC2 from WU, however, users must trick their PC into thinking that it's allowed to do that. A small 38Kb file -- this is what you need from Download Center -- hacks the Windows registry by changing a key or two. Voila! You're in.
What's the process like? Long and semi-cumbersome. But hey, it's prelim, right?
After downloading the hack, the first chore is to uninstall any previous version of XP SP3. For most users, that would be SP3 RC, the December 2007 build given to all comers. To do that, open "Add or Remove Programs" from Control Panel, check the "Show Updates" box, then scroll to the bottom of the listing. Select "Windows XP Service Pack 3" and then click the "Remove" button. The uninstall ends with a reboot.
Next, you should run WU to grab any missing security updates. This applies to everyone, but most of all to users who had been running SP3 RC; like other service pack previews, it refused to "see" XP patches. (One Computerworld test system, for instance, that had SP3 RC installed in mid-December hadn't grabbed any updates during the normal January and February patch cycles.) You may need to reboot here as well.
Finally, run the registry hack downloaded earlier, then fire up WU again. XP SP3 RC2 should now appear. It's a 66MB download for most users, but your mileage may vary. When RC2 has been downloaded and installed, the PC does a final reboot.
Why is Microsoft using Windows Update to deliver SP3 RC2? Our guess is that Microsoft's testing the WU mechanism, which will, after all, be the way virtually all consumers and small business receive the service pack when it eventually goes RTM (release to manufacturing).
The company did the same thing with Windows Vista SP1 in mid-January. On Jan. 10, it offered SP1 RC Refresh to the invite-only testers and told them to grab it using WU. Two days later, Jan. 12, it released the same build to the public, again through WU.
What's new in XP SP3? Not much, according to the first version of the service pack's release notes, which were posted just yesterday to Microsoft's Web site.
As befits a service pack, especially the last of its kind -- this will undoubtedly be the final SP for XP -- SP3 is mostly about patches and hotfixes and other updates that have been issued incrementally since 2004, when Microsoft pushed Windows XP SP2 out the door.
But there are some new features. Most notably, it appears that Microsoft has kept its promise to upgrade the random number generator. Last November, remember, a team of Israeli researchers, led by Benny Pinkas at the University of Haifa, argued that attackers could exploit a weakness in Windows 2000's pseudo-random number generator (PRNG) to predict encryption keys. After some hemming and hawing, Microsoft acknowledged that Windows XP shared the bug, and said it would fix the flaw in SP3.
In the release notes, under the heading of "Microsoft Kernel Mode Cryptographic Module," Microsoft said that SP3 now "implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation." And that the "Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard."
FIPS, which stands for Federal Information Processing, is a U.S. government security standard.
How long before SP3 goes final? Microsoft's not saying. All along, the six-month spread of the first half of 2008 has been as much as the company would admit.
But we think it's close. Here are the tea leaves we're reading:
- Microsoft seeded Vista SP1 RC Refresh to testers via Windows Update on Jan. 9, then posted it for public download Jan. 11. A little more than three weeks later (Feb. 4) it shipped the service pack out the door. Using a similar timetable puts XP SP3 as wrapping up around the middle of March. If Microsoft takes SP3 RTM on a Monday, as it did Vista SP1, we've circled March 17.
- The stress test of WU is a second clue; we've already covered that.
Can I roll back XP to its pre-SP3 condition if I want? How do I do that? Yes to the first. Easy to the second.
To ditch SP3 and return to (presumably) SP2, open "Add or Remove Programs" from Control Panel, check the "Show Updates" box, then scroll to the bottom of the listing. Select "Windows XP Service Pack 3" and then click the "Remove" button.
The PC needs to reboot, but after that the machine should return to its prior state.