Death of Windows XP SP2 Support a Security Risk, Says Report

Almost 80 percent of organisations surveyed risk a security breach if the do not upgrade to SP3.

If your business is still running Service Pack 2 of Windows XP, security problems are lurking around the corner, according to new research from IT services vendor Softchoice stating that almost 80 percent of organizations surveyed risk a security breach if the do not upgrade to SP3.

Why should SP2 users fear the reaper? Because Microsoft is ending support for SP2 on July 13, a date that was established when Windows XP SP3 was released on April 21, 2008. Paid support and security updates for SP2 will no longer be available, although Microsoft has stated that Windows XP SP2 users will still be allowed to access Microsoft online Knowledge Base articles, FAQs and troubleshooting tools.

All free technical support, warranty claims and design changes for Windows XP ended in April 2009 when the OS moved from Mainstream Support to the Extended Support phase. Extended Support includes paid support (charged on an hourly basis or per incident), security update support at no additional cost, and paid hotfix support.

Companies who choose not to update their SP2 systems to SP3 could, "create unnecessary security risks as hackers continue to look for vulnerabilities knowing that software updates will no longer be forthcoming from Microsoft," according to a release about the research report.

Windows XP SP2 users can download the SP3 software package from Microsoft's support site if they want to continue receiving security updates. Microsoft will also terminate support for Windows Vista RTM and Windows Server 2000 on July 13.

The Softchoice report is based on an analysis of 278,498 corporate and public sector PCs across 117 organizations from industries such as financial, healthcare, manufacturing and education.

Softchoice's data shows that 46 percent of these PCs are still running Microsoft Windows XP SP2. In addition, it is estimated that 77 percent of these organizations have enough SP2 in their environments to warrant immediate updates.

What happens for companies that don't update? Well, an unsupported service pack means no security updates, hotfixes or assisted support from Microsoft customer service. Essentially, you will no longer receive software updates from Windows Update to protect PCs from viruses, spyware and other malware, or that improve Windows reliability, including new drives for hardware.

Slideshow: Windows 7 Hardware in Pictures: The Latest and Greatest Laptops Slideshow: In Pictures: Pro Sports Teeming with Tech Partnerships Slideshow: Fighting the Dark Side: Tech's Heroes and Villains

While Windows XP SP2, released in 2004, was a major overhaul and therefore was delayed by many businesses, SP3 is more of an incremental upgrade, says Dean Williams, Services Development Manager for Softchoice.

"Many users rightfully delayed their SP2 deployments, but at this point there really isn't a compelling reason to delay the move to SP3," says Williams.

Windows XP SP3 is offered free of charge by Microsoft, yet the work involved in deploying SP3 will be significant for larger businesses or those that are not using systems management technology, according to the Softchoice report. Windows XP SP3 includes all previously released updates for the OS. There are only a few new features and functionalities in SP3, none of which significantly affect the Windows XP user experience.

It's worth noting that there is no SP3 for the 64-bit version of Windows XP. Customers running the 64-bit version of XP with SP2 have the latest service pack and will continue to be eligible for support and receive updates until April 8, 2014, when Windows XP will be retired completely.

The data used in Softchoice's analysis was collected between January and June of 2010.

Shane O'Neill is a senior writer at Follow him on Twitter at Follow everything from on Twitter at

Read more about operating systems in CIO's Operating Systems Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags service packwindows xpMicrosoftsecuritysoftwarespywarevirusoperating systemsmalware

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Shane O'Neill

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place