Paula Sharick, InstantDoc #26166, August 6, 2002
59 Post-SP3 Hotfixes Conflict With SP3 Upgrade
Here’s the bad news—ugly, but predictable. Microsoft privately distributed a large number of post-Windows 2000 Service Pack 3 (SP3) code changes to selected customers before releasing SP3. Because Microsoft incorporated changes into SP3 after distributing the post-SP3 hotfixes, the original version of 59 post-SP3 hotfixes contain older file versions than those in the SP3 catalog. If you attempt to install the original version on a running SP3 system, file version conflicts might cause the hotfix install to fail or to function incorrectly. To guarantee a working OS, you need to obtain and reinstall the new improved version of each affected hotfix after you upgrade to SP3.
The post-SP3 patch problem affects hotfixes that Microsoft Product Support Services (PSS) distributed to customers between April 2, 2002, and July 29, 2002. If you have a support contract, you need to verify whether any of the 59 updates in the list below are installed on systems you plan to upgrade. Microsoft states that this problem applies only to privately distributed updates, and is not a concern for security hotfixes or updates posted at the Microsoft Download Center and WindowsUpdate. Microsoft also claims that SP3 setup will detect and warn you of hotfix conflicts during the "inspecting your system" phase of the upgrade. If you don’t get any such warnings during Setup, you can safely proceed. For more details, see the Microsoft article "Some Windows 2000 Hotfixes May Cause a Conflict with Service Pack 3 (SP3) for Windows 2000" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q309601
You can use a variety of tools to list installed hotfixes, including the hotfix.exe utility, the SP3 version of update.exe, Qfecheck, Hfnetchk, and the Microsoft Baseline Security Analyzer (MBSA) tool. The fastest way to list hotfixes on the local system is to run the SP3 update.exe utility. Expand the service pack (w2ksp3.exe /x), open a command prompt and type
In a few seconds, the installer displays a pop-up window that itemizes installed hotfixes. You can generate an equivalent list using the hotfix.exe utility, which Microsoft embeds in most hotfixes. Simply expand a hotfix into its component files (Qxxxxxx /x) and typehotfix.exe /l
at a command prompt. Hfnetchk, the improved version of Qfecheck, has an extensive command-line interface and is well documented in the Microsoft article "Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available," which you can read at http://support.microsoft.com/default.aspx?scid=kb;en-us;q303215 .
I prefer the MBSA because of the friendly GUI and report archiving features. With its custom version of Hfnetchk, MBSA is the fastest and easiest method for auditing hotfixes on multiple systems. You can audit systems by name, TCP/IP address or address range, and by domain membership and save the audit results permanently in a disk file. With a permanent record, you can easily compare before and after snapshots of system status, which is important for tracking progress and auditing the final results of your configuration activity.
Here are the 59 post-SP3 hotfixes, separated into appropriate categories:
13 Active Directory (AD) Hotfixes
- Q288180 The ExitWindowsEx() Function May Not Log Off the User or Shut Down the Computer If the Computer is Locked
- Q312827 An Incorrect Authentication Package Name May Appear in Audit Event 529
- Q319672 Directory Service Access Audits for a SAM Object Server Have Incomplete Object Names
- Q319709 An Access Violation Occurs in Lsass Because of a Stack Overflow
- Q320099 A Security Policy Does Not Process Restricted Groups Correctly
- Q320670 Event ID 528 May Not Be Logged If LsaLogonUser() Is Called
- Q320711 Accessing Active Directory with LDAP by Using Sun JNDI Calls May Not Work
- Q320903 Clients Cannot Log On by Using Kerberos over TCP
- Q321217 You Receive an "Action Could Not Be Completed" Error Message When You Select Many Recipients in the Global Address List
- Q321933 Services Are Not Listed in the Security Configuration and Analysis Snap-in
- Q322175 You Must Restart the Computer After Joining a Domain with Service Pack 2
- Q322842 A Lock Occurs Between Two Threads of System GDI in Windows 2000
- Q324184 Access Violation in Lsass.exe Because of LDAP Version 2 Search with Referrals