Microsoft has released Win2K Service Pack 4 (SP4), the latest collection of hotfixes and software updates for the Windows 2000 family of products. I'm going to provide an overview of SP4, tell you what I think are the most significant updates, and offer some recommendations for testing and acceptance.
Windows 2000 SP4 is cumulative and contains all previous fixes from past service packs. You can download it here. You can also go to the Windows Update Web site and scan your PC, if your network allows this type of behavior.
This service pack includes more than 650 fixes. Let's go over some of what I think are the more important (and most interesting) fixes. Obviously, I can't cover every fix in this article, but you'll find a complete list of all fixes here.
Microsoft has divided the fixes contained in SP4 into a variety of categories. The fixes I'm highlighting are listed under these categories.
Base operating system
- You May Receive a "Tape Drive Requires Cleaning" Error Message When You Try to Back Up
- Peripheral Hardware May Not Be Initialized During the Startup Process
- You Receive an "NTLDR Is Missing" Error Message When You Start Your Computer
- Administratively Created DNS Records May Not Be Security-Enhanced
- Computer Is Unresponsive When Hibernating
- Cannot Remove a Computer from a Domain Because the Computer Name Is Not Found
- Installing a Non-Plug and Play Driver for a PCI Device May Cause Problems
- Removing USB Hub Causes STOP 0x0000001E
- Active Directory Passes Incorrect Security Descriptors to Programs
- The Computer Appears to Stop Responding When a Program Sends Large Blocks of Data Through TCP/IP Sockets in Windows 2000
- Windows 2000 Crashes with a "Stop 0x000000d1" Error Message
- Corrupted Inbound Message Causes the SMTP Service to Stop or to Shut Down Unexpectedly
- IIS Admin Services Does Not Stay Running and Exchange SMTP Service Repeatedly Stops
- Existing Computers Are Not Updated to the DNS-Style Domain Name After You Upgrade the Domain to Active Directory
- Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers
- DNS Service Ends Unexpectedly and Event 7031 Error Message Appears
Internet Information Services/COM+
- Duplicate Computer Names May Be Created When You Set Up Multiple Clients with RIS
- Successive Attempts to Complete a Group Policy Installation of a Service Pack May Log an Event ID 102 Error
- "Local Users and Groups" Is Empty or Does Not Display All Member User Accounts
- There May Be a Delay in Mapping SIDs to Account Names If the Computer Name Contains More Than 15 Characters
- The Computer Management Tool Tries to Use Only the DNS Host Name to Connect to a Remote Computer
- The "Look In" and "Save As" Boxes in Common Dialog Boxes Are Slow
- Some Newsgroup Items Are Not Posted to Public Folders in Exchange 2000 Even Though the Post Operations Appear to Be Successful
- Windows 2000 Server May Hang After a Local Backup Completes
- You Receive a "Stop 0x00000050" Error When You Restart Microsoft Message Queuing
- TCP/IP Routes May Be Incorrect If AddIPAddress() Is Used on Multihomed Computers
- Earlier Clients May Fail to Change Passwords or Join in a Windows 2000 Domain
- A Laptop Computer Has No IP Address After Hibernating
- You Cannot Add an .msi Package to a Group Policy Object
- Installing an AGP Video Adapter Driver May Hang the Computer When You Restart It
- Windows 2000 Account Operators Can Manage Their Own Accounts
- DNS Query of Type ALL Does Not Query an Authoritative Server for the Domain
- Your Windows XP-Based Client Cannot Establish a VPN Connection
- A DNS Server May Not Respond to Some DNS Queries
- Cannot Connect to a Network Share over a VPN Connection
- You Cannot Add a Printer by Using the CNAME
- You Cannot Print to a Local Printer After Windows 2000 Service Pack 2 Is Installed
- Server May Stop Responding If You Use a Program That Uses Sharable Pages
- Unexpected Delay When You Log Off
There are many fixes listed under the Security category, and I would suggest you examine every one of them. Here's that link to the entire list again.
- Slow Network Performance Occurs When You Select a File on a Share That Uses NTFS
- Data Loss Occurs When You Copy Files Over the Network
- Explorer.exe Repeatedly Generates Access Violation Error Messages After You Log On
- Windows Cannot End This Program Error Message When You Try to Close a Parent Program in Windows 2000
- The "Back" Button Is Unavailable After You Click a Hyperlink in a Word Document That You Open in Internet Explorer
- Multiple Windows Installer (.msi) Packages Cannot Write to the Same Registry Key on a Server That Is Running Terminal Services
- Cannot Send Recognized Input from Tablet PC to Windows 2000 with Remote Desktop
- The Windows Explorer Progress Bar May Be Misleading When You Move or Copy Large Files
- Windows 2000 Is Unexpectedly Installed On a Newly Created Account During Remote Installation
- Cannot Add a User or Group to a Trusted Domain
Testing and acceptance
The rule of thumb for installing a service pack (or any hotfix, for that matter) is to test it first in a simulated environment. Microsoft performs extensive testing, but it's unreasonable to think that it could account for and test every possible hardware and software combination in the world. Nor does it have control over how other software manufacturers develop their programs.
Consequently, there is risk involved in applying any service pack. This risk can be mitigated by full testing. The company I work for usually performs anywhere from 40 to 60 hours of intense testing on an OS service pack before we certify it for use. (My company sells 911 call center software, which cannot have downtime; therefore, elaborate and intense testing must be performed.)
After certifying the new service pack for your environment, you need to figure out how to distribute it to the appropriate systems. A variety of options are at your disposal, such as using an MSI file to distribute the service pack via Group Policy, using Windows Update on each machine, distributing it on CD, and managing it with Microsoft Software Update Service (SUS).
Also, after a few months of a service pack's arrival, the base operating system itself (Windows 2000, in this case) will usually come with the service pack merged or "slipstreamed" into it. Essentially, when you install the OS, the service pack will automatically be part of the OS. However, you can create your own slipstreamed SP4 installation disk if you'd rather not wait for the media to arrive.
An old adage in Microsoft lore suggests that the first three service packs of an operating system should always be installed, and anything after that is really optional. Although there may have been some credence to this interesting philosophy for previous operating systems, Windows 2000 Service Pack 4 is clearly a must for most businesses. Given the aforementioned fixes, it makes sense to get it into your network as soon as possible—after your testing, of course.
Jeremy L. Smith, CISSP, is a cybersecurity and public safety professional who has worked with a variety of agencies to improve the security of their call centers and execute their public safety initiatives more effectively, including 911 call taking, cyber security, mass notification, and more. As the former chair of the NENA Security Working Group, he helped lead the development and creation of the public safety industry's first cyber security standards, NG-SEC. He is currently the general manager of the Mass Notification Division of Airbus DS Communications, a leader in the public safety market.