Ars Technica has a discussion thread on whether there is still any reason to delay installing Windows XP Service Pack 3. I read it with some interest, because I’ve been asking myself that very question about the machines in my household. For what it’s worth, my work laptop did not have SP3 (or Internet Explorer 7) until recently because my employer’s IT department had specifically instructed us not to install these things. However, IBM recently announced a new security policy that requires vendor employees who access the IBM network (which I do on a daily basis) to keep their Windows software current. So we were required to install SP3 and IE7 . . . resulting, on my machine, in no problems at all.

So, like I said, I’ve been thinking maybe it’s time to put SP3 on the computers in my household. Well, this Ars Technica thread doesn’t shed very much light on the issue. In fact, I was amazed at how many irrational arguments were offered against installing SP3. The person who started the thread basically asked, “Is there a reason NOT to install SP3?” And at least a couple of people immediately turned the question around and asked, “Is there a reason you want to install it?” As if you have to provide a justification every time you install a software update, and you should just let your OS become more and more backlevel if you can’t think of a compelling argument for updating it.

Here’s all the justification anyone should need: If you are running an out-of-date OS, your system is insecure. It is not possible to apply all of the latest security fixes to the OS if you refuse to keep your OS current. (That’s what IBM was telling us with the new vendor policy.)

Here’s another irrational response to the question: “Well, it’s Microsoft. Have any of their SPs been 100% perfect.” Is that your standard? 100% perfection? Then I assume you never install any software published by anyone. Or is that a standard you apply only to Microsoft, while setting the bar lower for everyone else? If so, then you’re a jerk; please shut up and go away.

A person who apparently works in his company’s IT department wrote: “We aren’t pushing SP3 out for awhile because of a couple of things,” followed by a list of reasons. One of those was: “Vendor buy-in. Until the vendor of that thirdparty app officially supports SP3 it isn’t gonna happen. Service contracts are invaluable and as such we play by their rules for the first year for major updates like service packs and operating systems.”

I’m sorry, but I think this is bunk. When a service pack is rolled out, vendors are certainly entitled to some time to test their product with it and release updates to ensure compatibility. But it should not take a year to do that, especially since work on the updates could have started when the beta version of the service pack was made available, months before the official release. Any software vendor that requires you to delay an OS update for twelve months has a serious problems supporting its own product, and you should be looking for alternatives to switch to.

XP SP3 has been available for seven months now, not counting the beta test period.

The IT guy also offered this reason: “‘Cuz I wanna’ is not a valid argument to present to the IT department. You need to present a reason as to why you have to have SP3 before the planned testing is completed and the roll out occurs.” OK, fair enough. But that reasoning cuts both ways. “Cuz I don’t wanna” is not a valid argument for the IT department to present to the rest of the enterprise — and that is what a lot of IT departments seem to be saying on this issue. You want to finish your planned testing and then roll out SP3? That’s great. But when? You’ve had seven months already. It only takes nine to make a baby. How long do you geniuses need for a freaking service pack?

The IT guy ended his post with this offhand remark: “We have not and will not certify Internet Explorer 7 for our environment in the near future. The vendors and developers have stated they aren’t going to do it and they also won’t certify any third party browser such as Chrome or Firefox.” Notice that he doesn’t even bother to provide a reason — just “we won’t do it.” Are IT people just naturally passive-aggressive, or do they get special training to be like this?

IE7 was released over two years ago. What possible justification is there for refusing to allow it in your corporate network? IE6 is inherently insecure for the same reason that XP SP2 is: it’s hopelessly out of date and cannot be patched to address known vulnerabilities. Requiring people to continue using it is idiotic.

IE8 has been in public beta since March, and will be released next year. So when this IT guy says that his department won’t certify IE7 “in the near future,” what he really means is “never”. The question is, will they ever certify IE8? They could and should be testing it already — that’s what public betas are for. But I’m guessing they intend to ignore it for as long as they can.

By the way, the phrase “third-party browser” is gibberish. (Who are the first and second parties?)

Advertisements