According to security risk and compliance management provider Qualys, 50% of the several hundred thousand PCs it monitors for its clients are still running Windows XP SP2.
“The normal thing for IT is not to muck around with something that works,” said Wolfgang Kandek, chief technology officer for Qualys, as he tried to explain why corporations have stuck with 2004’s SP2 and not updated to SP3, which debuted two years ago .
Microsoft will officially retire Windows XP SP2 on July 13. After that date, although it will continue to provide security updates for XP SP3, it will stop issuing patches for the older SP2.
“I would expect that come August, SP2 will be getting hard and harder to defend,” said Kandek, referring to the lack of security updates. “I expect to see reliable exploits of unpatched vulnerabilities three or four months later.”
Companies have stepped up their efforts to migrate machines to XP SP3 in the last 11 months — the rate of adoption of the newest service pack during that period was roughly double that of SP3’s first 14 months of availability — but even now, just weeks before SP2 will slide off support, half of the Windows XP systems still run the older edition, according to Qualys.
“I think this simply flew under the radar of most IT professionals,” said Kandek, talking about the July retirement of XP SP2. “Personally, I didn’t know about it until two months ago. I don’t think many people were looking at the [retirement] messages Microsoft was putting out.”
Microsoft started warning customers of XP SP2’s looming retirement last February, and has been repeating that warning every month in its Microsoft Security Response Center (MSRC) blog on Patch Tuesday, the regularly-scheduled second-Tuesday-of-the-month security update release day. But not every user reads the MSRC blog.
Windows XP SP3 will exit all support in April 2014; to receive vulnerability fixes, users must update to that service pack by July.
By Qualys’ numbers, Windows XP accounts for approximately 80% of all enterprise PCs, a considerably higher share than estimated by Web metrics companies such as NetApplications, which pegged XP’s share in April at 63.4% . NetApplications, however, calculates usage share globally — Qualys’ is predominantly U.S. — and factors in consumers as well as businesses.
Microsoft has made some minor concessions on Windows XP SP2 support. Last month, it said it would take calls from customers running outdated service packs, such as SP2. Previously, it turned those people away.
Instead, Microsoft’s support staff will answer questions about old service packs, fill out support tickets and provide what the company’s head of support called “limited troubleshooting.”
The new support for obsolete service packs isn’t free, however. Companies or customers without an in-place Microsoft support plan will be billed on a per-incident rate. A consumer contacting Microsoft support via chat or e-mail, for example, is charged $49, while telephone-based support costs $59.
Windows XP SP3 can be downloaded from the Microsoft site, or obtained from XP SP2 PCs via the Windows Update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg’s RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about windows in Computerworld’s Windows Topic Center.
Gregg Keizer, Computerworld