ntroduction
Windows XP Service Pack 2 (SP2) contains major security improvements designed to provide better protection against hackers, viruses, and worms. Windows XP SP2 also improves the manageability of the security features in Windows XP and provides more and better information to help users make decisions that may potentially affect their security and privacy. Microsoft strongly urges customers with Windows XP and Windows XP Service Pack 1-based systems to update to Windows XP SP2 as soon as possible.
As a best-practice approach to implementing a managed rollout of Windows XP SP2, customers are encouraged to use a corporate update management solution such as Systems Management Server (SMS) 2003 or Software Update Services (SUS).
The following section details considerations for deploying Windows XP SP2 using SUS.
Situation overview
Because Windows XP SP2 is a relatively large update (approximately 270 MB), SUS administrators need to consider the impact on internal network traffic and on the machine on which the SUS server is running.
For the vast majority of SUS implementations, server and network load will not be a concern and SUS administrators will not have to take mitigation actions described below, although it is recommended that the SUS administrator monitor the performance and load on the SUS server when the update is initially approved.
Under ideal conditions for a dedicated SUS server, assuming a 100 Mbps server network card capacity with 20% of this capacity consumed as overhead, it will take approximately 30 seconds for a SUS client to download the Windows XP SP2 update from the server. This translates to 2880 client downloads in a 24-hour period.
While this is the theoretical number of clients that can be supported in a 24-hour period if only one client is in contact with the server at any given time and there is no time gap between servicing one client and the next, a couple of factors contribute to reducing this number in reality. These include:
-
SUS clients contact the server at randomized intervals of between 17 and 22 hours. Hence, the client synchronizations are not serialized and it is likely that more than one client will contact the server at the same time, particularly in environments that have a large number of SUS clients.
-
If the SUS client machine is turned off when it is scheduled to contact the server, it will attempt to contact the SUS server approximately 10 minutes after the client machine has been turned on. Because many systems would typically be turned on around the beginning of the work day or the start of a work shift, an unusually high number of clients (relative the volume of clients contacting the server through the rest of the day) would attempt to contact the SUS server at this time.
Although clients that cannot be serviced by the SUS server because of capacity limitations will attempt to contact the server again after approximately 5 hours, this overload situation will result in slowing down the server and generating additional network overhead.
Overall recommendations
There are essentially three options, depending on the number of Windows XP systems to be updated using your SUS server (if you have one or a few SUS servers) and the topology of your SUS implementation (if you have many SUS servers):
-
No action is necessary if you have less than 2000 Windows XP machines that need to be updated with Windows XP SP2 per SUS server
-
Use the limited-time approval technique described below if you have between 2000 and 15000 Windows XP machines that need to be updated with Windows XP SP2 via the SUS server
-
Implement one of the following bandwidth throttling mechanisms if you need to control the maximum bandwidth used to deploy Windows XP SP2 using SUS:
-
Limit the maximum number of concurrent connections and maximum bandwidth served on SUS IIS server
-
Limit the maximum bandwidth used by SUS clients to download SUS content by configuring BITS (Background Intelligent Transfer Service) 2.0 accordingly
For the first (no action necessary) option, it is recommended that the SUS administrator monitor the server load when the update is first approved and for the first hour of the work day or first work shift after the Windows XP SP2 update has been approved.
The limited-time approval technique works by limiting the number of SUS clients that see the Windows XP SP2 update on the list of approved updates when they contact the SUS server on any given day while this technique is in use, thereby controlling the number of clients that are serviced per day and limiting the server load and additional network overhead (retry attempts, etc.).
The third set of options works by limiting the bandwidth used by the SUS implementation, thereby controlling the load on the server and the network.