Windows XP SP2 could break existing applications

Microsoft's service pack focuses on security at the expense of backward compatibility

When Microsoft releases Service Pack 2 for Windows XP later this year, some software developers may find their applications no longer work on updated Windows machines.

Microsoft has made something of a trade-off with the update, focusing on security improvements at the expense of backward compatibility. The Redmond, Washington-based vendor is calling on all software developers to test their code against the beta version of Service Pack 2, or face the possibility that the update will break their handiwork.

Windows XP Service Pack 2 (SP2) is more than the usual roll-up of bug fixes and updates. It is also being used to make significant changes to the software that are designed to improve security. These changes can render applications inoperable, Microsoft warns.

"It may surprise some of the developers that we are changing some defaults, and that may affect the way some of the older applications run," said Tony Goodhew, a product manager in Microsoft's developer group. "Developers should absolutely be checking their applications against Windows XP SP2."

To help developers, Microsoft has created an online training course that details the implications of installing SP2 on Windows XP machines. The course covers the impact on existing applications and includes code samples. Microsoft has never before offered such a course with a service pack release, according to Goodhew. (

Large vendors of software are getting help from Microsoft to make sure their applications are compatible with SP2, Goodhew said. Smaller vendors and others, such as enterprise software developers, need to do their own testing. "It is really up to developers to do the due diligence," he said.

If developers do find that SP2 breaks their applications, it most likely means that they were not following best practices in terms of security when writing their applications, according to Goodhew.

"SP2 will break some applications because they are insecure," he said. "Security is important, and it is not just a Microsoft problem but a developer community problem. We all need to work together to create a more secure computing environment."

"It doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now," Goodhew said.

Although Microsoft said it has been informing developers about the implications of SP2, not all were aware of what the changes will mean for them.

"I'm afraid now, I have somehow missed this message," said a Windows developer who asked not to be named. "Was it buried in too many marketing messages? Was it dependent on me searching it out?"

But Patrick Hynds, chief technology officer at CriticalSites Inc., a Burlington, Massachusetts-based software development and integration provider, said Microsoft is not leaving any developers flat-footed. "I think Microsoft is doing enough, we're still months in advance and they are actively informing people," he said.

One place Microsoft is informing developers are the Developer Days, or DevDays, events it is hosting around the world. The first such event was held last month and many more are on the agenda. Hynds spoke at one of the first DevDays events.

"Microsoft is getting the message out on something that had to be done. I would be a big critic of Microsoft if they weren't doing this kind of update," Hynds said.

Changes to Windows XP made by SP2 fall into four main areas: network protection, memory protection, e-mail security and browsing security. The most affected parts of Windows are RPCs (Remote Procedure Calls), DCOM (Distributed Component Object Model), Windows Firewall, and memory execution protection, according to Microsoft.

Many of the changes can disrupt functions of Windows and other applications, said Thor Larholm, a senior security researcher at PivX Solutions LLC in Newport Beach, California. "By design, many of the new security improvements will break functions for a wide range of applications," he said.

However, the trade-off is a good thing, according to Larholm. "Microsoft is finally starting to favor security over functionality to such an extent that it is impacting its own development tools and other products," he said.

Microsoft's Visual Studio .Net is one of the applications affected by Windows XP SP2. The developer tool's remote debugging feature won't work because of the improved Windows Firewall, previously called Internet Connection Firewall, which will be turned on by default and will close all ports, Goodhew said.

Another product that Microsoft needs to update is the .Net Framework. The new memory protection features in SP2 require developers of certain applications to mark their code with memory execution permissions. If they don't, the protection features could interfere with the application, according to Microsoft.

"The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one," Goodhew said.

Microsoft plans to come out with updates to its Visual Studio products and the .Net Framework at around the same time it releases Windows XP SP2 to address the compatibility issues, Goodhew said.

SP2 went into beta last year and Microsoft plans to release the update in mid-2004. Compatibility issues should not hold back its release, Goodhew said. "We're aiming to release SP2 midyear. As far as we stand, we're still on track to do that," he said.

Copyright © 2004 IDG Communications, Inc.