2000 vs. XP vs. server2003 hot fixes

[oao]

I am in the process of using HFSLIP to create a win2K cd-r.

In the list of hot fixes for 2000 there are quite a few ones that MS download pages say they

are for to XP SPs (e.g. 896358), and fewer for server2003 (e.g. 899591).

Should they be included and if so why?

Thanks.

FP

[tommyp]

Read the FAQ at HFSLIP.org or any of the stickies on this forum.

[oao]

I read thru all the FAQs/guides/help I could locate and I did not see an answer to the specific question I asked, namely WHY hotfixes for XP and server 2000 should be slipstreamed into win2000 professional.

Also, should all generations of MSXML (1,2,4,6) be included?

Thanks.

FP

[Super-Magician]

Hello, oao!

The reason why you must use the XP version of some hotfixes when slipstreaming 2000 with HFSLIP is simple. The XP version is easier to handle and/or the 2000 version has a few problems in its construction.

Only MSXML 2, 4, and 6 are supported. However, only very specific versions of each are. Please read through one of the links at hfslip.org for more info.

Edited April 6, 2007 by Super-Magician

[Tomcat76]

I don't know where you got your info from but it's incorrect for the most part.

Windows2000-KB896358-x86-ENU.EXE:

"Supported Operating Systems: Windows 2000 Service Pack 3; Windows 2000 Service Pack 4"

Windows2000-KB899591-x86-ENU.EXE:

"Supported Operating Systems: Windows 2000 Service Pack 4"

KB899591 is superseded, btw.

There is one hotfix on my Win2K list that's intended for Server 2003, and that's the time zone update. Microsoft did not release a version for Windows 2000 but HFSLIP supports both the XP and the 2K3 version of KB931836 in any circumstance (any source) so that's why my 2K list shows the Server 2003 version. I originally linked to the XP version but Microsoft later decided to make it a WGA download so I switched to the 2K3 version.

[oao]

Thanks.

There seems to be some confusion between the KB's that I got from my Windows Update history and

the download pages of Windows updates: the former were applied to my system as 2K, but when I went to the later, they were shown as XP. Not clear why.

Anyway, I am now working with the list at http://users.telenet.be/tc76/winup/_win2k.html and will let you know if any confusion remains.

In a trial run of HFSLIP I noticed that one fix was not applied and a statement with /command? parameter was issued. If it reoccurs I will post here.

I may have a few other questions, but I will first search on the topics here.

[oao]

After som thorough work with the hot fixes and review of the docs here I cane up with the following questions:

1. General question: for security fixes that pertain to components not being used, are the vulnerabilities in the files per-se, or do they occur only if the components are used?

E.g. KB923694 cumulative security update for MSOE: I don't use MSOE, even though it is installed with Windows 2000.

Incidentally: can it be removed from the installtion CD?

2. The following two fixes

msxml2.msi

msxml6_x86.msi

should be placed in HF, or together with UPHClean-Setup.msi in HFGUIRUNONCE?

3.Based on the removed fixes list at http://www.msfn.org/board/index.php?showtopic=58360

February 17-Removed 925454, 911562, and 922616.

January 10-Removed 925486.

December 19-Removed 911567 and 922760.

November 17-Removed 918899, 890046 and 921883.

October 10-Removed 917159.

August 9-Removed 916281 and 908523.

The following fixes are neither shown as removed, nor in the currently valid fix list at

http://users.telenet.be/tc76/winup/_win2k.html

Are they valid, or should they be disregarded?

Security Update for Windows 2000 (KB896422)

Windows2000-KB896422-x86-ENU.EXE

http://www.microsoft.com/downloads/details...;displaylang=en

Update for Windows 2000 (KB904368)

Windows2000-KB904368-v3-x86-ENU.EXE

http://www.microsoft.com/downloads/details...46-910be4ddcbbc

Cumulative Update for Internet Explorer 6 SP1 (KB912812)

IE6.0sp1-KB912812-Windows-2000-XP-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

MS05-037: Vulnerability in JView Profiler could allow remote code execution

IE-KB903235-x86-ENU.exe

http://support.microsoft.com/kb/903235#appliesto

Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)

Windows-KB870669-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

Critical Update for Windows Media Player (All Versions) for Windows 2000, Windows XP, and Windows Server 2003 (KB828026)

WindowsMedia-Q828026-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

Security Update for Windows Media Player 9 Series (KB885492)

WindowsMedia9-KB885492-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

Security Update for Windows Media Player 9 (KB911565)

WindowsMedia9-KB911565-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

Windows Media Player Plug-in for Netscape Navigator

wmpplugin.exe

http://www.microsoft.com/downloads/details...;displaylang=en

Security Update for Windows Media Player Plug-in (KB911564)

WindowsMedia-KB911564-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

QuoVadis Root Certificate

rootsupd.exe

http://download.windowsupdate.com/msdownlo...en/rootsupd.exe

Thanks.

FP

[oao]

I am removing the following fix from the above list, as it is valid:

Security Update for Windows Media Player Plug-in (KB911564)

WindowsMedia-KB911564-x86-ENU.exe

http://www.microsoft.com/downloads/details...;displaylang=en

[oao]

I am adding the following two XML fixes which Windows Update applied to my computer, but

which are not in your valid list:

Vulnerabilities in Microsoft XML Core Services 4.0 SP2 Could Allow Remote Code Execution (925672)

msxml4-KB925672-enu.exe

http://www.microsoft.com/downloads/details...;displaylang=en

Vulnerabilities in Microsoft XML Core Services 4.0 Could Allow Remote Code Execution (927978)

msxml4-KB927978-enu.exe

http://www.microsoft.com/downloads/details...;displaylang=en

[oao]

From the above list, the following were applied to my computer by Windows update:

925672 xml4 sp2

927978 xml4 sp2

828026 wmp

896422

925902

926436

I have removed them and Windows Update notifies me that the last 4 should be applied. So it looks they are valid, why are they not in your list? And what about the 2 XML fixes?

Regards,

FP

[Tomcat76]

KB925672 is superseded by KB927978.

KB927978 is on my list so I conclude that you didn't go through the "Update your Windows 2000 configuration" part, where you'll find a checkbox to include MSXML4 among many other upgrade possibilities.

[oao]

>KB925672 is superseded by KB927978.

Well, when 927978 installs it does not remove 925672, so it's hard to tell.

>KB927978 is on my list so I conclude that you didn't go through the "Update your Windows 2000 configuration" part, where you'll find a checkbox to include MSXML4 among many other upgrade possibilities.

I've been working from several lists, the main one being

http://users.telenet.be/tc76/winup/_win2k.html and it does not have it.

I will go over yours more carefully and check out any differences.

What about the other 4?

[Tomcat76]

The list is missing 1 update for Windows 2000 which Microsoft released a few days ago. It's KB925902, and it replaces KB912919 and KB896424.

I can't say anything about the WMP updates if I don't know whether you're slipstreaming WMP9 or not.

However, please go through the "Update your Windows 2000 configuration" section because checking/unchecking boxes dynamically updates the hotfix list at the bottom.

[oao]

Hi,

Yes, I slipstream WMP9 and IE6.

I focused on just two Win2K lists, the configuration one you refer to and The Guy's, and I hope that this is the latest iteration of the discrepancies I found. This is based on checking everything in your configuration list:

1. Neither list has the following:

* KB896422 Security Update for Windows 2000

* KB828026 Critical Update for Windows Media Player (All Versions) for Windows 2000, Windows XP, and Windows Server 2003

* KB870669 Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer

* KB885492 Security Update for Windows Media Player 9 Series

* KB904368 Update for Windows 2000

* KB903235 Security Update for JView Profiler

* KB911565 Security Update for Windows Media Player 9

* KB912812 Cumulative Update for Internet Explorer 6 SP1

* KB891122 Update for DRM-enabled Media Players

* KB911564 Security Update for Windows Media Player Plug-in

Windows Update insists that the first two, KB828026 and KB896422, be applied even after removing them.

3. Your configuration list includes MSXML2.MSI which the MS download page says it applies to SQL Server, not Windows 2000.

4. Any ideas why The Guy's list does not have the following ones that you have in your configuration list? ( I emailed him this question too).

* Microsoft Data Access Components (MDAC) 2.8 SP1

* KB887606 FIX: The Microsoft XML Parser (MSXML) uses cached credentials incorrectly

* KB927978 MS06-071: Security update for Microsoft XML Core Services 4.0

* Microsoft Core XML Services (MSXML) 6.0 Service Pack 1

* Roots certificate update

* KB908506 Update for Windows 2000

* KB926121 Security Update for Windows 2000

* KB926247 MS06-074: Vulnerability in Simple Network Management Protocol (SNMP) could allow remote code execution

* KB909520 Microsoft Base Smart Card Cryptographic Service Provider Package: x86

* KB917275 Microsoft Windows Rights Management Services Client with Service Pack 2 - x86

* WindowsUpdateAgent20-x86.exe

Please advise.

Thanks.

FP

Edited April 8, 2007 by oao

[tommyp]

How are you checking for these discrepancies? Are you using an old outdated mssecure.xml file? Are you googling old windows updates on the web? The MSBLA will guide you the right direction for applying the latest and greatest updates.

As far as some hotfixes you list..... Here is an interesting finding while searching the boards for hotfix 896422 - link. For KB912812, an cumulative update to IE6 released April 2006. Each month last year, IE6 had a cumulative rollup. 912812 is 12 updates behind at this point and it would be unwise to slipstream it.

I can probably answer for the_guy with his hotfix lists. He concentrates on critical updates and not recommended updates. Tomcat76 includes some recommended ones and some fixes that are nice to have, xml stuff falls into this category.