Bugtraq mailing list archives
RE: Windows 2k SP2 breaks security fix should reapply
From: Russ <Russ.Cooper () rc on ca>
Date: Fri, 15 Jun 2001 15:40:02 -0400
-----BEGIN PGP SIGNED MESSAGE----- Since a reminder about MS01-026 and W2K SP2 was allowed through, I thought a more long-term explanation might help folks better. 1. Security hotfixes for W2K are named according to what Service Pack they are *expected* to be included in (there's a more sophisticated explanation, but for all intents and purposes...) Ergo, the MS01-026 fix is named q293826_w2k_sp3_x86_en.exe, indicating that its expected to be included in SP3 (and by extension, definitely not included in SP2). 2. http://www.microsoft.com/technet/security/current.asp?productID=17&ser vicePackId=2 gives you a listing of all Security hotfixes that are required post-W2K-SP2. Note how MS01-026 *is* listed there. 3. The HFCheck.wsf, from http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 also identifies what might need to be re-applied after a Service Pack installation. Finally, for anyone who wonders why, after installing the latest Service Pack, they'd then have to re-apply Security hotfixes that were released prior to the Service Pack...the answer's pretty simple and hopefully one that everyone appreciates. Both Service Packs and Security hotfixes go through regression testing prior to release. This is a fervent attempt, since NT 4.0 SP2 to avoid the problems associated with patches and compatibility. The testing for Service Packs is more extensive than that for Security fixes, largely due to the number of components that need to be tested in a Service Pack. As a result, the date that Service Pack distributions are frozen (meaning no new code can be added) comes some time (usually 4-6 weeks, sometimes longer) prior to its release. During that time Security fixes are created and made available to the public since they're important, but not put into the frozen Service Pack distribution because that would delay its (the SPs) release. So always double-check, using one of the three methods mentioned above, whether or not you need to re-apply a Security hotfix after a Service Pack installation. There are almost always going to be at least one or two. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBOypkkhBh2Kw/l7p5AQERngP+ImBJ8hSZ3kFXN0RrND+PMP9OrkA6Fdc4 TLTOA+SfmJtlVNfrN6pV8JEkjPeDMThJCUXSOksfBSpjRB2DpnJmrwHBfV8zLJeq Tg6Rxjt6urJVXTCklvTIgRXWrBvQIu8898t+fSGvmcIcQMD1SgysemmNJ+K1feQP 1dVMvt8oV4E= =HDh1 -----END PGP SIGNATURE-----
Current thread:
- Windows 2k SP2 breaks security fix should reapply Colby Rice (Jun 15)
- Re: Windows 2k SP2 breaks security fix should reapply Eric (Jun 16)
- Re: Windows 2k SP2 breaks security fix should reapply Rick Updegrove (Jun 16)
- RE: Windows 2k SP2 breaks security fix should reapply Chase Stone (Jun 18)
- <Possible follow-ups>
- RE: Windows 2k SP2 breaks security fix should reapply Russ (Jun 16)