Download time considerations aside, one problem I see with the service pack-only approach is Microsoft often releases patches that turn out to interact poorly with some software or configuration. What do you do if some piece of SP1 interferes with a critical piece of software you need to run?

Microsoft has also shown a disturbing tendancy lately to add new EULA provisions with service packs. By adding these to critical updates they effectively ram them down users' throats, since you either accept new restrictions on what you've already bought or accept being insecure. A good example is one they inserted in a service pack recently that basically gives them the legal right to break any of your software remotely:

"You agree that in order to protect the integrity of content and software protected by digital rights management ('Secure Content'), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update." (Reference: http://www.theregister.co.uk/content/4/25956.html)


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/112/16650#16650