Paula Sharick, InstantDoc #26166, August 6, 2002

59 Post-SP3 Hotfixes Conflict With SP3 Upgrade

Here’s the bad news—ugly, but predictable. Microsoft privately distributed a large number of post-Windows 2000 Service Pack 3 (SP3) code changes to selected customers before releasing SP3. Because Microsoft incorporated changes into SP3 after distributing the post-SP3 hotfixes, the original version of 59 post-SP3 hotfixes contain older file versions than those in the SP3 catalog. If you attempt to install the original version on a running SP3 system, file version conflicts might cause the hotfix install to fail or to function incorrectly. To guarantee a working OS, you need to obtain and reinstall the new improved version of each affected hotfix after you upgrade to SP3.

The post-SP3 patch problem affects hotfixes that Microsoft Product Support Services (PSS) distributed to customers between April 2, 2002, and July 29, 2002. If you have a support contract, you need to verify whether any of the 59 updates in the list below are installed on systems you plan to upgrade. Microsoft states that this problem applies only to privately distributed updates, and is not a concern for security hotfixes or updates posted at the Microsoft Download Center and WindowsUpdate. Microsoft also claims that SP3 setup will detect and warn you of hotfix conflicts during the "inspecting your system" phase of the upgrade. If you don’t get any such warnings during Setup, you can safely proceed. For more details, see the Microsoft article "Some Windows 2000 Hotfixes May Cause a Conflict with Service Pack 3 (SP3) for Windows 2000" at;en-us;q309601

You can use a variety of tools to list installed hotfixes, including the hotfix.exe utility, the SP3 version of update.exe, Qfecheck, Hfnetchk, and the Microsoft Baseline Security Analyzer (MBSA) tool. The fastest way to list hotfixes on the local system is to run the SP3 update.exe utility. Expand the service pack (w2ksp3.exe /x), open a command prompt and type

i386\update\update.exe /l

In a few seconds, the installer displays a pop-up window that itemizes installed hotfixes. You can generate an equivalent list using the hotfix.exe utility, which Microsoft embeds in most hotfixes. Simply expand a hotfix into its component files (Qxxxxxx /x) and type

hotfix.exe /l 

at a command prompt. Hfnetchk, the improved version of Qfecheck, has an extensive command-line interface and is well documented in the Microsoft article "Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available," which you can read at;en-us;q303215 .

I prefer the MBSA because of the friendly GUI and report archiving features. With its custom version of Hfnetchk, MBSA is the fastest and easiest method for auditing hotfixes on multiple systems. You can audit systems by name, TCP/IP address or address range, and by domain membership and save the audit results permanently in a disk file. With a permanent record, you can easily compare before and after snapshots of system status, which is important for tracking progress and auditing the final results of your configuration activity.

Here are the 59 post-SP3 hotfixes, separated into appropriate categories:

13 Active Directory (AD) Hotfixes