On July 13 of 2010, Microsoft will stop releasing security updates, hotfixes and other updates for Windows XP Service Pack 2. Microsoft advises users who are currently on XP SP2 to update to XP SP3 or Windows 7. Windows XP SP3 was released in April of 2008, which started the 24 month wind-down phase for SP2, so this end of support date by itself does not come as a surprise to IT admins who follow Microsoft’s lifecycle.
Nevertheless we see a large number of machines in enterprise networks still running under Windows XP SP2. The following graph shows that only half of all Windows XP installations have upgraded to SP3 since its release. Even with a significant increase in the upgrade ratio, up from the 20% and 30% achieved in 2008 and 2009 respectively, we are still over a year away from having all machines migrated, threatening to leave many machines exposed to exploits for the vulnerabilities that we expect in the second half of 2010. Home users should be better off, as XP SP3 is being pushed down automatically to machines that participate in Windows or Microsoft update. On the enterprise side however it seems that 2 years of burn-in time is not enough, and it would be helpful if Microsoft could extend support for one more year.
PS: Support for Windows Embedded XP SP2, an OS quite frequently used for ATMs and POS systems is extended to Jan 2011, so users of embedded systems have a bit longer to prepare. Frequently these embedded systems represent an even bigger challenge to keep up to date; they are often managed by a 3rd party and sometimes not even properly recognized as Windows computer systems.