It's time to run .Net out of town

In yet another massive patching failure, Microsoft released three automatic updates that failed to install on Windows XP and Windows Server 2003

I don't know what it is about Microsoft and .Net Framework patches, but it seems that every time we have a sizable .Net patch, it doesn't work on enormous numbers of PCs.

So it was again this week. For reasons unknown and unexplained, Microsoft pushed three .Net patches -- KB 2518864 (MS11-044, June 2011), KB 2572073 (MS11-078, October 2011), and KB 2633880 (MS12-016, February 2012) -- out the Windows Update chute. If you happen to be running Windows XP or Windows Server 2003, with .Net Framework 2.0 SP2 or 3.5 SP 1, and if you're naive enough to leave Automatic Updates turned on, you probably got nailed with a yellow alert icon that says, "Some updates could not be installed." Click through the alert and you see that Automatic Update couldn't install any of the three patches.

I know some admins who have hundreds of customers with yellow alert icons.

Microsoft has assiduously avoided explaining why so many PCs and servers were affected, and only recently have users been able to piece together a workaround. Support forums all over the world are ablaze with complaints and questions.

Yesterday, Microsoft yanked the patches. If you're staring at a yellow warning icon (or if you have scores of customers who are so bedeviled), having the patch yanked may or may not solve your problems. With a lot of help from afflicted Windows XP users and one Microsoft tech, I've come up with five possible remedies for the nagging yellow icon on my AskWoody site, ranging from easy to drastic.

If this is starting to sound like last month's .Net Framework patching debacle, where many people couldn't print their TurboTax forms over the tax weekend, the similarities are uncanny. But they're par for the course with .Net Framework patches. In the past year, I've seen problems with all these .Net patches:

  • May 2012: MS12-025/KB 26563638 .Net 4 patch, released via Automatic Update, pulled by Microsoft.
  • May 2012: MS12-025/KB 2656373 .Net 3.5.1 patch, released via Automatic Update, pulled by Microsoft.
  • February 2012: MS12-016/KB 2651026 .Net 2, 3.5.1, and 4 patches, multiple problems on XP systems, including ATI card control panel software Blue Screen of Death, widespread installer failures.
  • August 2011: MS11-069/KB2533523 .Net 4 patch, released via Automatic Updates, pulled by Microsoft.
  • August 2011: MS11-066/KB2487367 .Net 2 patch, released via Automatic Updates, pulled by Microsoft. Keeps reinstalling.
  • June 2011: MS11-039 and MS11-044, many kilobytes. Enormous array of problems, many of which can't be undone, require removing and reinstalling .Net.

Now we get to add the three new ones, which have been pulled by Microsoft.

I can't even figure out why Microsoft pushed the patches. Microsoft did release a security notification that details changes to three Security Bulletins, MS11-100, MS12-034, and MS12-035. None of those cover the patches that went haywire yesterday, but the revisions mention, "This is a detection change only." Whether the notification has anything to do with the botched patches remains to be seen, but it's the only patch notification that's come out in recent days. If the security notification isn't related to the repushed updates, why did Microsoft push them? They appeared completely unannounced, with no warning whatsoever. And they're buggy as can be -- as befits .Net patches.

Last month, I brought down a firestorm of complaints for saying that it's time to run Java out of town. Sun's (and then Oracle's) inability to keep the Java Runtime Environment patched has driven Java to the top of the infection vector list for Windows systems. Recently, it made the Mac vulnerable. Java deserves to go.

Well, Microsoft, it's time to run .Net out of town, too -- at least the older versions. Why on earth did you make your versions so backwardly incompatible that many Windows customers are forced to run multiple copies of .Net? Right now, almost any well-worn Windows PC sports a copy of .Net Framework 4, .Net Framework 3.5, and .Net Framework 2.0. Some of them also have .Net Framework 3.0 and 1.1. What's wrong with this picture?

If Microsoft can't clean up the .Net mess, it's time to move on to a better technology.

This story, "It's time to run .Net out of town," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.