Monday, October 06, 2003

OK, I promised a story about why MS03-039 came out so quickly for XPE, but other QFE's take weeks or months...

Simply put, after the Blaster worm (exploiting the vulnerability patched with MS03-026), we were pretty skittish when it came to RPC fixes. Since MS03-039 was another RCP fix, we were on it like flies on manure. Also, we had learned some lessons with 026, like where there was a test tool for the fix. With the test tool in hand and everyone sufficiently alarmed at the prospect of another Blaster, 039 was completed and released in record time.

To put it another way, everyone involved made it their number one priority. Obviously, this kind of reactive fire-drill mode doesn't scale well.

The best turn-around time I can look forward to achieving with QFE's is about one week. That includes time to author the new components, get them tested, code sign the packages, and release them to the web. There's a longer lead time needed to get bits out into the OEM channel for non-evaluation customers (check the download site - the QFE's posted there are for eval customers only, not for redistribution on shipping devices).

To cut down on that week, we're releasing a new QFE today, KB 824706, which enables you to run later Windows XP Pro QFE packages directly on XPE runtimes. XP Pro QFE's shipped after 7/6/03 will run on XPE runtimes, provided you've got the right dependencies in place. Our Desktop QFE Installer Support component adds those dependencies. Footprint hit is about 10 Mb, less if you've got a more feature rich device. Check out the web page and KB article (which may not be published yet) for more details.