Microsoft has unveiled the first Windows XP security pack, a collection of 22 previously-available patches for that operating system.
The vendor claims that Update Rollup 1, in beta testing for the past month, is a more convenient way for users to deploy patches they might have missed when the original vulnerabilities -- and associated security bulletins -- were posted on the company's web site.
When discussion of the Rollup first started, analysts saw it as Microsoft's attempt to provide an interim pack of security updates before releasing a second service pack for Windows XP, which then wasn't expected until mid-2004.
Microsoft CEO Steve Ballmer, in a wide-ranging talk last week about Microsoft's security plans, repeated that Service Pack 2 (SP2) would not release until the middle of next year.
This week, however, Richard Kaplan, a vice-president of content at Microsoft, told an audience at the Citrix Forum in Florida, that SP2 would be available by the end of this year.
Directions on Microsoft analyst Michael Cherry claims the recently-released roll-up only meets half the criteria necessary for success.
'The rollup should be a single installer -- which it is -- but Microsoft should also try to distribute it in newer ways,' Cherry said. 'It's not as helpful if it's distributed through the normal channels [of download and WindowsUpdate]. I would have liked to see Microsoft put it on a CD and make that widely available.'
Such a CD would be a better way to get the 9 MB roll-up out to customers, such as consumers and small business users, who access the Internet through slow dial-up connections. OEMs could add the roll-up to Windows XP distributions they pre-load on new PCs, Cherry said.
Update Rollup 1, however, is already obsolete, for its nearly two dozen fixes don't include the most recent patches. Users who deploy the roll-up will still need to apply additional patches individually.
The Update Rollup can be downloaded from the Microsoft Web site, or retrieved using Microsoft's WindowsUpdate service. On the latter, it's called critical update 826939.
The roll-up adds another element to the shifting Microsoft security strategy. In his speech last week at the company's Worldwide Partner Conference in New Orleans, Ballmer announced a monthly schedule for non-critical security updates, replacing the sporadic Wednesday bulletins and patches.
But Cherry said the scheduling shift was a non-issue because it referred to non-critical patches. Microsoft has said it would continue to release fixes for critical vulnerabilities outside the monthly schedule on a case-by-base basis.
'What Microsoft is saying is that their enterprise customers told them that weekly was too frequent. But the right way to handle the complaint is not to change the duration but to change the quality of software so that fewer patches are needed,' Cherry said.