mailing list archives
RE: Windows 2k SP2 breaks security fix should reapply
From: Russ <Russ.Cooper () rc on ca>
Date: Fri, 15 Jun 2001 15:40:02 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Since a reminder about MS01-026 and W2K SP2 was allowed through, I
thought a more long-term explanation might help folks better.
1. Security hotfixes for W2K are named according to what Service Pack
they are *expected* to be included in (there's a more sophisticated
explanation, but for all intents and purposes...) Ergo, the MS01-026
fix is named q293826_w2k_sp3_x86_en.exe, indicating that its expected
to be included in SP3 (and by extension, definitely not included in
vicePackId=2 gives you a listing of all Security hotfixes that are
required post-W2K-SP2. Note how MS01-026 *is* listed there.
3. The HFCheck.wsf, from
identifies what might need to be re-applied after a Service Pack
Finally, for anyone who wonders why, after installing the latest
Service Pack, they'd then have to re-apply Security hotfixes that
were released prior to the Service Pack...the answer's pretty simple
and hopefully one that everyone appreciates.
Both Service Packs and Security hotfixes go through regression
testing prior to release. This is a fervent attempt, since NT 4.0 SP2
to avoid the problems associated with patches and compatibility. The
testing for Service Packs is more extensive than that for Security
fixes, largely due to the number of components that need to be tested
in a Service Pack. As a result, the date that Service Pack
distributions are frozen (meaning no new code can be added) comes
some time (usually 4-6 weeks, sometimes longer) prior to its release.
During that time Security fixes are created and made available to the
public since they're important, but not put into the frozen Service
Pack distribution because that would delay its (the SPs) release.
So always double-check, using one of the three methods mentioned
above, whether or not you need to re-apply a Security hotfix after a
Service Pack installation. There are almost always going to be at
least one or two.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
-----END PGP SIGNATURE-----