Half of the enterprise computers running the aged Windows XP operating system are still relying on the soon-to-be-retired Service Pack 2 (SP2), a researcher said today.
According to security risk and compliance management provider Qualys, 50 percent of the several hundred thousand PCs it monitors for its clients are still running Windows XP SP2.
[ Get all the details you need on deploying and using Windows 7 in the InfoWorld editors' 21-page Windows 7 Deep Dive PDF special report. | Stay up with Windows news and analysis with our Technology: Windows newsletter. ]
"The normal thing for IT is not to muck around with something that works," said Wolfgang Kandek, chief technology officer for Qualys, as he tried to explain why corporations have stuck with 2004's SP2 and not updated to SP3, which debuted two years ago .
Microsoft will officially retire Windows XP SP2 on July 13. After that date, although it will continue to provide security updates for XP SP3, it will stop issuing patches for the older SP2.
"I would expect that come August, SP2 will be getting hard and harder to defend," said Kandek, referring to the lack of security updates. "I expect to see reliable exploits of unpatched vulnerabilities three or four months later."
Companies have stepped up their efforts to migrate machines to XP SP3 in the last 11 months -- the rate of adoption of the newest service pack during that period was roughly double that of SP3's first 14 months of availability -- but even now, just weeks before SP2 will slide off support, half of the Windows XP systems still run the older edition, according to Qualys.
"I think this simply flew under the radar of most IT professionals," said Kandek, talking about the July retirement of XP SP2. "Personally, I didn't know about it until two months ago. I don't think many people were looking at the [retirement] messages Microsoft was putting out."
Microsoft started warning customers of XP SP2's looming retirement last February, and has been repeating that warning every month in its Microsoft Security Response Center (MSRC) blog on Patch Tuesday, the regularly-scheduled second-Tuesday-of-the-month security update release day. But not every user reads the MSRC blog.
Windows XP SP3 will exit all support in April 2014; to receive vulnerability fixes, users must update to that service pack by July.