Bug fixes, security hotfixes, and upgrade options
Microsoft released the long-awaited Service Pack 2 (SP2) for Windows 2000 in May 2001. Microsoft organized SP2's 549 documented bug fixes into 15 categories, which Table 1, page 42, shows. Although the line between a bug fix and a feature is fuzzy at best, Microsoft claims that SP2 contains code corrections but doesn't fundamentally extend the functionality or the feature set of the OS. Most of the updates are either identical to or supersede fixes that were available from Microsoft Product Support Services (PSS) before the release of SP2. To save you the effort of reading through 549 documents, I highlight some of the most important improvements. (For information about where you can find SP2, see the sidebar "Where to Get SP2," page 40.) SP2 delivers a large number of hardware-specific fixes for power, video, and DVD problems on Toshiba, Dell, Compaq, Gateway, and IBM notebooks and laptops; an updated AGP driver that supports ServerWorks' RCC HE chipset; improvements to the SCSI driver; support for ATA-100 (Mode 5) hard disks; an OHCI1394 driver that no longer leaks memory; and an improved USB driver that eliminates the occasional disappearing device. SP2 also corrects many DNS-cache and zone-transfer problems; Active Directory (AD) replication; backup and restore errors; authentication, password, and account-lockout problems; access violations in lsass.exe and services.exe; and problems promoting and demoting Win2K domain controllers (DCs). In addition, SP2 delivers improvements to the File Replication Service (FRS), including more reliable communication on a network in which you connect a hub site to a large number of branch sites through slow links (e.g., 64Kbps links), enhanced FRS event logging, and an improved version of the ntfrsutl.exe diagnostic and troubleshooting utility.
In the networking area, SP2 eliminates multiple WINS and DHCP problems and removes the 850-DHCP-servers-in-a-network limit. Several SP2 DHCP server patches require that you manually edit the registry to activate the improved functionality. See the Microsoft article "Dynamic Host Configuration Protocol Server Management Issues in Windows 2000" (http://support.microsoft.com/support/kb/articles/q297/8/47.asp) for a description of the modifications you must make.
After you install SP2, the OS will no longer hang when you enable object auditing, and it will run batch files that redirect input or output without generating an access violation. In addition, minor fixes ensure that the OS correctly calculates the size of the registry, lets Windows NT Loader (NTLDR) boot with a fragmented system hive at startup, and eliminates an occasional but fatal deadlock in ntdll.dll and a dfssvc.exe memory leak. SP2 includes several fixes to NT Backup that eliminate problems with backing up and restoring Microsoft Exchange 2000 Server databases.
Finally, what service pack would be complete without a cleanup of known access violations and blue screens? This update eliminates blue screens caused by disk.sys, serial.sys, fastfat.sys, dlc.sys, and the well-known stop 0x1e that can occur at the beginning of a replication window on all Win2K servers in the same domain.
SP2 and Security
In March 2001, Microsoft discovered that incorrect file-version numbers in several security hotfixes might cause 1 of 26 hotfixes to overwrite a current file with an earlier version of the same file. To eliminate this problem, Microsoft released a new catalog file, sp2.cat, that contains updated file-version numbers for hotfixes with the file-version number problem. SP2 includes this catalog, so you don't have to install the standalone sp2.cat file before you upgrade. After you install SP2, you can be confident that all the files in the selected group of hotfixes are current.
As far as security hotfixes, SP2 bundles 30 hotfixes that Microsoft released for public download through December 2000. Scan through the long list of security hotfixes that Microsoft released starting in January 2001, and download any hotfixes that directly affect your network operation. After you download the hotfixes, you can include all those you need to install on existing or new systems in a combination installation directory that also includes SP2. When you use the new Win2K combination installation method, you can install SP2, selected bug fixes, and security hotfixes in one operation. (I explain the basics of a combination installation later.)
Updated Support Tools
If you download the full network installation version of SP2 instead of ordering the SP2 CD-ROM, you need to download three additional files: the update to the Win2K Support Tools, the Microsoft Windows 2000 Resource Kit Deployment Tools update, and the Installation and Deployment Guide. Microsoft has links to these downloads on the SP2 home page (http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp) and ships all three updates on the SP2 CD-ROM.
The Support Tools download contains bug fixes for six popular utilities—netdom.exe, nltest.exe, dnscmd.exe, netdiag.exe, dcdiag.exe, and dfsutil.exe—that ship in the \support directory of the Win2K CD-ROM. The Deployment Tools update contains a new version of the Sysprep tool (version 1.1) that cleans up a couple of Sysprep bugs and reduces the number of images you need to build. The Installation and Deployment Guide is a comprehensive document that describes procedures for upgrading and rolling out SP2.
Preparing to Upgrade
You need a bit of information before you upgrade to SP2. SP2 upgrades Win2K to high encryption (i.e., 128 bits), which offers a much higher level of protection than standard 56-bit encryption. Note that according to the Installation and Deployment Guide, SP2 doesn't upgrade the Protected Store to high encryption. To close this loophole, you must install the security hotfix at http://www.microsoft.com/technet/security/bulletin/ms00-032.asp to upgrade this component.