SP2 - Service Pack 2

Download from http://www.softwarepatch.com/windows/xpsp2.html

NEWS Flash :  Microsoft Announces the end of all Support for SP1 on Oct 10, 2006  ! !

*** so if you plan on sticking with SP1 make sure to get all recent updates "before" Oct 10

Should I break down and install SP2?

I have XP Professional installed on my computer and now I keep getting the message "Support for Windows XP SP1 ends October 10, 2006". I have held off updating to SP2 because I have heard so many people have problems with it. Is this true? And should I go ahead and update??? Need your advice soon! - Susan B.

It's true that Microsoft has announced the end of support for XP SP1 and SP1a on October 10 (end of support was originally scheduled for September 17, then extended by Microsoft last January). This includes security updates. For this reason, it's best for most users to upgrade to SP2.

It's also true that some people have reported problems and conflicts after installing SP2; however, based on reports and our readers' mail, the instance of problems was much lower than with SP1. There's now a very large knowledge base dealing with SP2 upgrade problems on the Microsoft web site, and many of the initial problems have been corrected in subsequent updates. You can find troubleshooting help at

Many reported problems occur because of the SP2 firewall. For information on how to configure the Windows Firewall in SP2 to enable your programs to run, see

SP2 contains a feature called Driver Protection that blocks the OS from loading drivers that are known to cause problems. Fortunately the list is pretty small. However, if you have unusual or old hardware peripherals or configurations, you may encounter problems.

We recommend that you back up all important data to a network location or removable drive before installing SP2. If SP2 doesn't install successfully, you can recover the system and remove SP2 by following the instructions at



BEFORE I said:  *** ask yourself - "Do I need SP2 ?"  if you cannot find a reason, then don't get it !!  If it ain't broke, don't fix it !!

MUCH HAS CHANGED - now you really need to upgrade to SP2 !!!  Because . . .

More Reasons . . .

*** for Autopatcher to wor, you need SP2  -  if you have a pirated version of Windows XP, or for whatever reason your system will not validate - you will NOT be able to get Microsoft patches and upgrades.  If this is your case . . . then you should definitely upgrade to SP2, so that you can update Windows via the "Autopatcher" monthly updates, which does not use validation.  Autopatcher is for WinXP SP2 only !!

- for detailed information - go to our Autopatcher page

*** You can ROLL BACK to SP1 if need be !!!   There are two ways :  

  1. Control Panel Add/Remove Programs . . . remove Service Pack 2

  2. use System Restore to go back to the previous state "before" you installed SP2


But Still - be Careful, especially if you have older, Legacy Hardware

*** be careful - especially with older cards, for which you may not be able to find drivers that work with SP2 for.  For example, you may have a $1000 video capture card made in 1999, which works perfectly.  Well, it may not work at all after you install SP2, so check with the manufacturer for updated drivers.  If unsure but you want SP2 - go ahead and install it, then if it causes problems that you cannot bear - roll back to SP1 using the Control Panel Add/Remove Programs, or System Restore.

There have been many problems with SP2.  However, for most systems and applications it is fine.  The rule of thumb is - if you have older legacy stuff or a small hard drive, then it is better to keep your system at SP1.  If your stuff is modern, then update to SP2.

Windows XP SP2 Spotlight - Tech Republic

IT Administrators Delay SP2 Rollouts - eWeek

PC World - Multiple SP2 Articles and Info


Microsoft released SP2 in August 2004.  Like all Service Packs, it contains all previous updates and hot-fixes, and adds it's own updates as well.  Here we discuss SP2's capabilities, how to install SP2, remove SP2, the SP2 Firewall, and what SP2 breaks !!  

So far, the response to SP2 is mixed.  Microsoft would have everyone use it ASAP, of course, and they back that up with their  Top 10 Reasons to upgrade to SP2.   The primary reason for SP2 is to finally fix all the hundreds of security holes that have plagued users !!  So you would think that the new firewall is an absolute blockade - but it is not.  The new MS firewall does a fair job at blocking incoming hacker attempts, and it does include every WinXP patch up to this time.  BUT  :

SP2 = SPace-hog 2

Here is something to be aware of: SP2 needs quite a bit of disk space (from 495MB to over 1.5GB, depending on various factors). For exact numbers in different situations, see MS kB article 837783:

        Hard disk space requirements for Windows XP Service Pack 2

Here's what happened to one user, K.P.: "SP2 automatically decided to download onto my computer. And half way into the install It decided I had no more room on my hard drive. So it quit half way. All was fine until I rebooted, I got a fatal error message every time I booted up. So I had to reformat my hard drive!!! "


Downloading/Installing SP2

Microsoft recommends downloading it in one of two ways:

Removing SP2

Amazingly, unlike SP1, Internet Explorer, etc - SP2 is removable.  Even more amazing, Microsoft does tell users how to remove SP2.  Go Here for SP2 Removal Instructions

Blocking the Automatic SP2 Download Temporarily  

So long as you do not select Automatic Updates to auto-install updates (the first choice in the diagram below) - then SP2 will not install until you approve of that, and select that option.

How to Turn OFF Automatic Updates but still be notified

Right click My Computer, Click Properties, Click Automatic Update tab
Select "Notify me but don't automatically download or install them" or "Turn Off Automatic Updates"

NOTE:  even if you have selected the following, "Notify me but don't automatically download or install them" - when you go to the Microsoft Windows Update site (the site has changed - the new site URL is  http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us )  - it will give you a message that "Automatic Updates are Turned ON".  Weird, but true:

The SP2 Microsoft Firewall

*** read this and then go to Microsoft's detailed SP2 Firewall configuration  instructions

Unlike SP1, where the MS firewall was OFF by default - in SP2 it is ON by default.  But many of us have our own personal firewall installed (BlackIce, Zone Alarm, etc.).

The Windows Firewall was formerly called the Internet Connection Firewall or ICF. SP2 installs a completely updated firewall that is different in a number of ways. First, as mentioned it is turned on by default for all network interfaces. To configure the firewall, use the Security Center in Control Panel or the Windows Firewall Control Panel applet. On the General tab, you can select to turn the firewall off. This is not recommended unless your computer is protected by another firewall.

On the Advanced tab, you can select for which connections (network interfaces) the firewall is enabled. This is useful if you want to enable the firewall for a particular connection (for example, a cable modem connection to the Internet) but not for another (for example, your local area network connection).

If you have an existing Firewall (Zone Alarm, Black Ice, etc.) and are happy with it - disable the Microsoft Firewall - do not leave both Firewalls enabled !!

If you leave the firewall on, you might need to configure exceptions to allow desired programs and services to send information through the firewall. On the Exceptions tab, you can define desired traffic either by the application name or by the TCP or UDP port it uses. When you add a program or port, you can click the Change Scope button to specify whether the exception should apply to traffic coming from all computers (including those on the Internet), just from computers on your local network, or a custom list of computers (by IP address).

What SP2 Breaks

As we all feared - many programs have problems running after SP2 is installed.  Here is the Microsoft article kB 842242 which describes some of them.  The page is growing rapidly, as more and more problems are being reported !!  http://support.microsoft.com/default.aspx?kbid=842242&product=windowsxpsp2 

Beyond those programs - here are some others and the fixes:

Outlook Express - blocks pics in your HTML Emails

After installing SP2, by default SP2 now blocks remote images in HTML e-mail. Why? Because remote images are picture files that are stored on someone else's server and downloaded when you open the message. These can include unwanted pornographic images.  But of course, you may want to make that choice for yourself, and you will see there is an option that you can click to reveal them.  But there is no way to simply see them without having to click that each time.

Device drivers known to cause instability in Windows XP Service Pack 2

The Driver Protection feature helps protect operating system stability by preventing the operating system from loading drivers that are known to cause stability problems. Drivers that are known to cause stability problems are listed in the Driver Protection List database that is included with Windows XP. Driver Protection checks this database to determine whether to load a driver in Windows XP.  The following device drivers are known to cause instability in Windows XP SP2 and have been added to the Windows XP Driver Protection List (for the latest list, visit the MS Protected Drivers page):

Application/Driver Vendor Driver Binary Match Criteria
Security Services and AV Driver Command Software CSS-DVP.SYS Product Version: and
SMSC LPC Memory Stick Host Controller Sony Smscms.sys Link Date: 09/02/2003 19:07:48
Windows CE Emulator Microsoft VPCAppSv.sys Product Version: and system is running in PAE or NX mode
Virtual PC Connectix VPCAppSv.sys Product Version: 4.x and system is running in PAE or NX mode

Bluetooth keyboard or mouse doesn't work on SP2 computer

*** also see http://support.microsoft.com/default.aspx?scid=kb;en-us;873154&Product=winxp 

If you've installed Service Pack 2 and then you connect a Bluetooth keyboard or mouse, XP won't detect them when you start the computer. 

Cause 1 - Bluetooth stack requires Initial Configuration to be done with Wired Keyboard & Mouse

This is actually a security feature, to prevent others from using Bluetooth devices to access your system. You'll need to configure the Bluetooth devices first (which means you'll need to temporarily connect a wired keyboard/mouse).  This issue occurs if your Bluetooth adapter is enabled for the Microsoft Bluetooth stack in Microsoft Windows XP Service Pack 2 (SP2).  The Microsoft Bluetooth stack that is included in Windows XP SP2 does not let Bluetooth devices function until after you configure and pair the devices in Windows. This requirement helps prevent unauthorized access to your computer. When you connect the Bluetooth devices and then start the computer, the following behavior occurs:

When the computer starts, but before the Microsoft Bluetooth stack loads, the Bluetooth devices operate in Human Interface Device (HID) mode or by emulating a universal serial bus (USB) device.  When the Microsoft Bluetooth stack loads, it disables HID mode or USB emulation for the Bluetooth devices.  The Bluetooth stack in Windows XP SP2 is designed to help prevent a Bluetooth device from connecting until you explicitly configure that device. This requirement helps prevent unauthorized access to your computer through a Bluetooth device.

You must connect a wired keyboard and mouse to the computer to install Windows when Windows XP SP2 is integrated with the Windows XP installation media. (This installation is also known as a slipstream service pack installation.) When you install Windows XP by integrating the Windows XP SP2 service pack with the Windows XP installation media, Windows does not detect a Bluetooth mouse or a Bluetooth keyboard during the graphical user interface (GUI) mode part of the Setup program. Therefore, you cannot complete the Windows installation or log on to Windows by using a Bluetooth mouse or a Bluetooth keyboard.

The Fix - to resolve this issue, connect a wired keyboard and mouse to your computer to configure the Bluetooth devices.

Cause 2 - Discovery Option is Turned OFF

This problem may occur if the discovery option is turned off on a Windows XP Service Pack 2-based computer that has Bluetooth support. By default, the discovery option is turned off so that the Windows XP-based computer cannot be discovered by a Bluetooth-connected device without your knowledge or consent.  To work around this problem, you must turn on the discovery option in Bluetooth on Windows XP Service Pack 2. To do this, follow these steps:

Bluetooth devices can now discover and connect to your Windows XP SP2-based computer.

Important - turn on discovery only when you want a Bluetooth device to find your computer. After the device has been added or bonded with your computer, discovery is no longer required. You can turn it off to help protect your privacy.


Can't Install Paint Shop Pro on XP with Service Pack 2

Here's a problem that's sure to come up often after SP2 is released: some systems - those whose processors have the NX (no execute) page protection feature enabled - will not let you install the popular Paint Shop Pro 8 graphics program after you install SP2. Currently, this applies to the AMD Opteron (32 and 64 bit) and the AMD Athlon64. What's up with that? Luckily, there's a fairly easy workaround, which you'll find in MS KB article 873176.  http://support.microsoft.com/default.aspx?scid=kb;en-us;873176&Product=winxp 

NetZero Closes Unexpectedly When You Start it in XP SP2

Uh-oh. Another SP2 problem (don't say we didn't warn you that SP2 can be expected to break some program): after you install SP2 and then try to open NetZero, you may get a message that says "NetZero has encountered a problem and needs to close." Unfortunately, you're going to need an updated version of the NetZero software to fix this one. Check their Web site (www.netzero.com) for availability. The problem is documented in MS KB article 870907.  http://support.microsoft.com/default.aspx?scid=kb;en-us;870907&Product=winxp


SP2 NAT Conflict with L2TP/IPsec - and the Fix

ZDNet News reports that SP2 "undoes" the NAT Traversal (NAT-T), which made it possible to use L2TP/IPSec VPNs with servers that use Network Address Translation (NAT).

You can fix this by editing the Registry (see the box below). 

SP2 can cause a loss of network connectivity for workstations that use Microsoft’s L2TP-based virtual private networking (VPN) client to connect to servers that are connected to NAT-based networks (explained below). Based on an SP2 design decision, Microsoft refers to the anomaly as an expected change to the default behavior of Windows XP, which, prior to the update, allowed for L2TP-based connectivity to NAT-based servers.

After confirming ZDNet’s tests which show how updating to SP2 negatively impacted L2TP-based VPN connectivity with NAT’d servers (essentially undoing the NAT-T patch), Mitchell said that Microsoft will add a document to its on-line knowledge base within the next couple of weeks that explains how to reset Windows XP to its pre-SP2 default behavior and the risks associated with that change.

The configuration change, which worked as advertised in our tests, requires the addition of a new key to Windows XP registry. According to Mitchell, the registry key that must be added is as follows (without the brackets):

The SP2 L2TP/IPsec Loss of Connectivity Fix:

[HKLM\System\CurrentControlSet\Services\IPSec\AssumeUDPEncapsulationContextOnSendRule = REG_DWORD]. SP2 resets this value to 0, which causes loss of connection to the VPN.  To fix this, all you have to do it set the value to 2.  There are actually three possible values, as follows:

0 - resets the behavior to Default SP2
1 - will only enable a Client with a public (i.e.non-NAT’d) address to connect to a NAT’d server
2 - enables both public and NAT’d clients to connect to a NAT’d server. The value of “2” is equal to the pre-SP2 behavior.

The key can be entered into the registry by a system’s user. But the preferred way is to push the change to the users who need it with Active Directory scripts or a third-party systems management tool.

In our discussions with Microsoft, officials were careful not to articulate this as a fix, nor the risks that go with it as a vulnerability. The risks, according to Mitchell, aren’t exactly known, which is why, in the name of security, Mitchell said he made the decision to change the default to a behavior that errs on the side of caution.

According to Microsoft, NAT introduces an additional layer of uncertainty (beyond that which is already there with non-NAT’d networks) over the fate of packets that are destined for a server connection that may have timed out. In L2TP-based VPN situations, the fate of such packets is largely irrelevant since their payload is encrypted (based on PKI, only the targeted system can decrypt them). Despite the irrelevance of that scenario, Mitchell claimed there are other scenarios that caused Microsoft to play it safe. Though Mitchell claims that such a scenario has never historically revealed a vulnerability, one of those scenarios has to do with unencrypted payload-bearing IPsec connections and the fate of packets when such a connection times out.

NAT stands for Network Address Translation (NAT) and is present in virtually all home networks where the various workstations share a single IP address through a DSL modem-based connection using a residential gateway. To external systems, such as Web servers, all systems on NAT-based network have the same IP address--the one that is shared. When a system which is external to a NAT-based network (such as a Web server on the Internet) responds to a request from the shared IP address, NAT is the technology that figures out which of the systems sharing that IP address made the request, and routes to-and-fro traffic appropriately. Though it’s not common, Microsoft acknowledges that there are businesses which put VPN servers on NAT-based networks (informally referred to as “NAT’d” servers). It is in this scenario certain Windows XP workstations will lose their VPN connectivity once SP2 is applied. First hand reports of the problem are also beginning to surface in certain Internet forums.

The problem will primarily affect telecommuters and road warriors who occasionally work from home and whose machines are configured to connect to a VPN with L2TP.

In part due to its relationship to the IPsec protocol, L2TP (otherwise known as Layer 2 Tunneling Protocol) is a more secure VPN protocol than is Microsoft’s Point-to-Point Tunneling Protocol (PPTP), which is commonly used for VPN connectivity. As its name suggests, L2TP can support Layer 2 (and higher) connections, which makes it appropriate for WAN connections that require the support of non-routable protocols. PPTP is a Microsoft-specific VPN technology that’s not supported by the default configuration of some enterprise firewalls, whereas L2TP is an IETF standard (as is IPsec) that is more widely supported.

One reason that L2TP is looked upon as being more secure has to do with how authentication is not a pre-requisite for encrypted communications. With L2TP, the authentication process itself is protected by an encrypted tunnel--whereas, the same process via PPTP is considered less secure. Many companies that want a standard, vendor-neutral VPN protocol and secure networks while allowing access from outside the firewalls, will only permit L2TP VPNs as opposed to less secure PPTP connections. The differences between L2TP and PPTP are more thoroughly fleshed out in a document on Microsoft’s Web site. In a telephone interview, Microsoft’s Windows Network program manager Chris Mitchell told ZDNet that, as a VPN protocol, Microsoft considers PPTP to be non-strategic.

NAT-based networks haven’t always played well with L2TP and IPsec-based VPNs. In response, Microsoft has issued updates to “to enhance the current functionality of the Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPSec) on computers that are running Windows XP or Windows 2000,” according to one update page on Microsoft’s Web site. This feature is commonly referred to as the “NAT-T” or “NAT Traversal” patch, which makes IPSec and L2TP play nice with NAT.