Should I bother to install KB891861 Update Rollup 1 on a Windows 2000 Server?

Should I bother to install KB891861 Update Rollup 1 on a Windows 2000
Server?

The update says it consists of previously released updates rolled into
one package.

I've already installed all critical updates except for 2 other new
ones. I don't use IE except for Windows updates, so IE 6 & updates
haven't been installed either. I use IE 5 just for Windows updates.

It seems seeing how several people have reported trouble with rollup1,
I might be better off just installing the other 2 new updates. If
Rollup1 is really stuff i've already installed, why do I need it?

Is Windows Update offering you 891861? Is Win2K SP3 or SP4 installed?

Cumulative Security Updates for Internet Explorer address vulnerabilities in
Windows, too. I suggest you keep up-to-date on these.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

Nate Goulet wrote:
> Should I bother to install KB891861 Update Rollup 1 on a Windows 2000
> Server?
>
> The update says it consists of previously released updates rolled into
> one package.
>
> I've already installed all critical updates except for 2 other new
> ones. I don't use IE except for Windows updates, so IE 6 & updates
> haven't been installed either. I use IE 5 just for Windows updates.
>
> It seems seeing how several people have reported trouble with rollup1,
> I might be better off just installing the other 2 new updates. If
> Rollup1 is really stuff i've already installed, why do I need it?

Read the KB article: http://support.microsoft.com/?id=891861 It lists all
the updates included in the Rollup; they include two (2) Cumulative Security
Updates for IE5.01 in Win2K SP4, MS05-014 and MS05-020. [But if they're
*cumulative* updates, why both?]

<QP>
Q3: Should I install Update Rollup 1 even if I have kept my Windows 2000 SP4
systems up to date?

A3: Yes. Update Rollup 1 contains additional important fixes in files that
have not previously been part of individual security updates, as described
in the Knowledge Base Article. In addition, the Update Rollup 1 contains
additional enhancements that increase system security, reliability, reduce
support costs, and support the current generation of PC hardware. In some
cases, the individual binary files released in previous individual security
updates may have been updated via individual hotfixes to address minor
compatibility issues introduced in those prior security updates that
affected individual customers. The latest versions of those files are
included in the Update Rollup.

Therefore, even if a system is fully up to date with prior security
releases, Windows Update will still detect and apply the Update Rollup.
Customers who use managed security update deployment solutions should
evaluate the need to deploy Update Rollup 1 within their infrastructure
</QP>

The Rollup does not update IE or OE:

<QP>
Update Rollup for Windows 2000 does not contain updates for individual
Windows components not included with a clean slipstream install of Windows
2000 SP4. If there are components previously installed or updated on the
system, the individual security updates must be downloaded separately from
Windows Update.

Examples include the following:

.. MS03-011 - Flaw in Microsoft VM Could Enable System Compromise
(KB816093) - The Microsoft VM is not included in SP4 natively. However the
VM may be resident on systems which were updated to SP4 from a prior SP or
installed by a third party software package.

.. Internet Explorer 6 and Outlook Express 6 - Internet Explorer 5.01 was
originally included with Windows 2000. Service Packs for Windows 2000 only
service this original version. Microsoft recommends that you install
Internet Explorer 6 SP1 and the current cumulative Internet Explorer
security updates on Windows 2000 computers for maximum security.
</QP>
--
HTH

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


Nate Goulet wrote:
> On Wed, 20 Jul 2005 15:30:26 -0400, "PA Bear" <>
> wrote:
>
> > Is Windows Update offering you 891861? Is Win2K SP3 or SP4 installed?
> >
> > Cumulative Security Updates for Internet Explorer address
> > vulnerabilities in Windows, too. I suggest you keep up-to-date on
> > these.
>
> It's a Windows 2000 Server with SP4 installed.
>
> Windows update is offering KB891861. Does that update include IE6 if
> it isn't installed? (would prefer not to do that).
>
> I've spoken to many other consultants both in the forums & in person
> about if I really need to install IE6 on the server to keep it free
> from vulerabilities.
>
> The vast majority of people i've discussed it with agreed that if we
> are not surfing the web on the server, then we are fine keeping IE5
> with it's associated critical updates and leaving IE6 off the server.
>
> Are you saying you disagree? If so, i'm not saying your wrong either.
> Even those i've talked with that are Microsoft certified engineers
> agreed that Windows will be safe on the server without IE6 as long as
> the only thing IE5 is used for is doing Windows updates. I know
> Microsoft always likes to promote their newest stuff, but that doesn't
> automatically mean IE6 is required just to keep Windows secure.
>
> I'd like to hear any comments anyone has to share on this.
>
> The way I look at it, we only have one server currently and 30 - 50
> people depending on it. Just installing a Windows update could
> potential cause a problem, and if we had IE6 on there, new updates
> would need to be installed constantly. I'm keeping my fingers crossed
> every time I run a Windows update. The other issue is we don't have a
> lot of free space on the C partion, and installing IE6 might chew up
> more space than we can afford on C. We have plenty of space on other
> drives. Our specialist had partioned C to only have 4 Gigs.
> Changing that with Partion Magic sounds risky.
>
> The main thing is I want to make certain the server is reasonably
> protected.

~Robear:

Have you installed the rollup on any Win2K servers without issues?

Tom
"PA Bear" <> wrote in message
news:...
| Read the KB article: http://support.microsoft.com/?id=891861 It lists all
| the updates included in the Rollup; they include two (2) Cumulative
Security
| Updates for IE5.01 in Win2K SP4, MS05-014 and MS05-020. [But if they're
| *cumulative* updates, why both?]
|
| <QP>
| Q3: Should I install Update Rollup 1 even if I have kept my Windows 2000
SP4
| systems up to date?
|
| A3: Yes. Update Rollup 1 contains additional important fixes in files that
| have not previously been part of individual security updates, as described
| in the Knowledge Base Article. In addition, the Update Rollup 1 contains
| additional enhancements that increase system security, reliability, reduce
| support costs, and support the current generation of PC hardware. In some
| cases, the individual binary files released in previous individual
security
| updates may have been updated via individual hotfixes to address minor
| compatibility issues introduced in those prior security updates that
| affected individual customers. The latest versions of those files are
| included in the Update Rollup.
|
| Therefore, even if a system is fully up to date with prior security
| releases, Windows Update will still detect and apply the Update Rollup.
| Customers who use managed security update deployment solutions should
| evaluate the need to deploy Update Rollup 1 within their infrastructure
| </QP>
|
| The Rollup does not update IE or OE:
|
| <QP>
| Update Rollup for Windows 2000 does not contain updates for individual
| Windows components not included with a clean slipstream install of Windows
| 2000 SP4. If there are components previously installed or updated on the
| system, the individual security updates must be downloaded separately from
| Windows Update.
|
| Examples include the following:
|
| . MS03-011 - Flaw in Microsoft VM Could Enable System Compromise
| (KB816093) - The Microsoft VM is not included in SP4 natively. However the
| VM may be resident on systems which were updated to SP4 from a prior SP or
| installed by a third party software package.
|
| . Internet Explorer 6 and Outlook Express 6 - Internet Explorer 5.01 was
| originally included with Windows 2000. Service Packs for Windows 2000 only
| service this original version. Microsoft recommends that you install
| Internet Explorer 6 SP1 and the current cumulative Internet Explorer
| security updates on Windows 2000 computers for maximum security.
| </QP>
| --
| HTH
|
| ~Robear Dyer (PA Bear)
| MS MVP-Windows (IE/OE) & Security
|
|
| Nate Goulet wrote:
| > On Wed, 20 Jul 2005 15:30:26 -0400, "PA Bear" <>
| > wrote:
| >
| > > Is Windows Update offering you 891861? Is Win2K SP3 or SP4 installed?
| > >
| > > Cumulative Security Updates for Internet Explorer address
| > > vulnerabilities in Windows, too. I suggest you keep up-to-date on
| > > these.
| >
| > It's a Windows 2000 Server with SP4 installed.
| >
| > Windows update is offering KB891861. Does that update include IE6 if
| > it isn't installed? (would prefer not to do that).
| >
| > I've spoken to many other consultants both in the forums & in person
| > about if I really need to install IE6 on the server to keep it free
| > from vulerabilities.
| >
| > The vast majority of people i've discussed it with agreed that if we
| > are not surfing the web on the server, then we are fine keeping IE5
| > with it's associated critical updates and leaving IE6 off the server.
| >
| > Are you saying you disagree? If so, i'm not saying your wrong either.
| > Even those i've talked with that are Microsoft certified engineers
| > agreed that Windows will be safe on the server without IE6 as long as
| > the only thing IE5 is used for is doing Windows updates. I know
| > Microsoft always likes to promote their newest stuff, but that doesn't
| > automatically mean IE6 is required just to keep Windows secure.
| >
| > I'd like to hear any comments anyone has to share on this.
| >
| > The way I look at it, we only have one server currently and 30 - 50
| > people depending on it. Just installing a Windows update could
| > potential cause a problem, and if we had IE6 on there, new updates
| > would need to be installed constantly. I'm keeping my fingers crossed
| > every time I run a Windows update. The other issue is we don't have a
| > lot of free space on the C partion, and installing IE6 might chew up
| > more space than we can afford on C. We have plenty of space on other
| > drives. Our specialist had partioned C to only have 4 Gigs.
| > Changing that with Partion Magic sounds risky.
| >
| > The main thing is I want to make certain the server is reasonably
| > protected.
|

No, I have not had occasion to do so and I'm well aware others have had
problems with it: http://snipurl.com/ge49

KB891861 is fully uninstallable. YMMV.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


Tom Pepper Willett wrote:
> ~Robear:
>
> Have you installed the rollup on any Win2K servers without issues?
>
> Tom
> "PA Bear" <> wrote in message
> news:...
> > Read the KB article: http://support.microsoft.com/?id=891861 It lists
> > all the updates included in the Rollup; they include two (2) Cumulative
> > Security Updates for IE5.01 in Win2K SP4, MS05-014 and MS05-020. [But
> > if they're *cumulative* updates, why both?]
> >
> > <QP>
> > Q3: Should I install Update Rollup 1 even if I have kept my Windows
> > 2000 SP4 systems up to date?
> >
> > A3: Yes. Update Rollup 1 contains additional important fixes in files
> > that have not previously been part of individual security updates, as
> > described in the Knowledge Base Article. In addition, the Update Rollup
> > 1 contains additional enhancements that increase system security,
> > reliability, reduce support costs, and support the current generation
> > of PC hardware. In some cases, the individual binary files released in
> > previous individual security updates may have been updated via
> > individual hotfixes to address minor compatibility issues introduced in
> > those prior security updates that affected individual customers. The
> > latest versions of those files are included in the Update Rollup.
> >
> > Therefore, even if a system is fully up to date with prior security
> > releases, Windows Update will still detect and apply the Update Rollup.
> > Customers who use managed security update deployment solutions should
> > evaluate the need to deploy Update Rollup 1 within their infrastructure
> > </QP>
> >
> > The Rollup does not update IE or OE:
> >
> > <QP>
> > Update Rollup for Windows 2000 does not contain updates for individual
> > Windows components not included with a clean slipstream install of
> > Windows 2000 SP4. If there are components previously installed or
> > updated on the system, the individual security updates must be
> > downloaded separately from Windows Update.
> >
> > Examples include the following:
> >
> > . MS03-011 - Flaw in Microsoft VM Could Enable System Compromise
> > (KB816093) - The Microsoft VM is not included in SP4 natively. However
> > the VM may be resident on systems which were updated to SP4 from a
> > prior SP or installed by a third party software package.
> >
> > . Internet Explorer 6 and Outlook Express 6 - Internet Explorer 5.01 was
> > originally included with Windows 2000. Service Packs for Windows 2000
> > only service this original version. Microsoft recommends that you
> > install Internet Explorer 6 SP1 and the current cumulative Internet
> > Explorer security updates on Windows 2000 computers for maximum
> > security. </QP>
> > --
> > HTH
> >
> > ~Robear Dyer (PA Bear)
> > MS MVP-Windows (IE/OE) & Security
> >
> >
> > Nate Goulet wrote:
> > > On Wed, 20 Jul 2005 15:30:26 -0400, "PA Bear" <>
> > > wrote:
> > >
> > > > Is Windows Update offering you 891861? Is Win2K SP3 or SP4
> > > > installed?
> > > >
> > > > Cumulative Security Updates for Internet Explorer address
> > > > vulnerabilities in Windows, too. I suggest you keep up-to-date on
> > > > these.
> > >
> > > It's a Windows 2000 Server with SP4 installed.
> > >
> > > Windows update is offering KB891861. Does that update include IE6 if
> > > it isn't installed? (would prefer not to do that).
> > >
> > > I've spoken to many other consultants both in the forums & in person
> > > about if I really need to install IE6 on the server to keep it free
> > > from vulerabilities.
> > >
> > > The vast majority of people i've discussed it with agreed that if we
> > > are not surfing the web on the server, then we are fine keeping IE5
> > > with it's associated critical updates and leaving IE6 off the server.
> > >
> > > Are you saying you disagree? If so, i'm not saying your wrong either.
> > > Even those i've talked with that are Microsoft certified engineers
> > > agreed that Windows will be safe on the server without IE6 as long as
> > > the only thing IE5 is used for is doing Windows updates. I know
> > > Microsoft always likes to promote their newest stuff, but that doesn't
> > > automatically mean IE6 is required just to keep Windows secure.
> > >
> > > I'd like to hear any comments anyone has to share on this.
> > >
> > > The way I look at it, we only have one server currently and 30 - 50
> > > people depending on it. Just installing a Windows update could
> > > potential cause a problem, and if we had IE6 on there, new updates
> > > would need to be installed constantly. I'm keeping my fingers crossed
> > > every time I run a Windows update. The other issue is we don't have a
> > > lot of free space on the C partion, and installing IE6 might chew up
> > > more space than we can afford on C. We have plenty of space on other
> > > drives. Our specialist had partioned C to only have 4 Gigs.
> > > Changing that with Partion Magic sounds risky.
> > >
> > > The main thing is I want to make certain the server is reasonably
> > > protected.

PA Bear wrote:

> No, I have not had occasion to do so and I'm well aware others
> have had problems with it: http://snipurl.com/ge49
>
> KB891861 is fully uninstallable. YMMV.

but I have seen reports that some problems caused by KB891861 have
not disappeared even if you uninstall KB891861.

So I would have been very reluctant to install KB891861 on a server,
and if I did, I would have been sure to have a valid system state
backup of the OS that I could restore in worst case.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Given what I've read in the past 24 hours and my respect for your knowledge
and experience on these issues, I'll agree with you, Torgeir.

Torgeir Bakken (MVP) wrote:
> PA Bear wrote:
>
> > No, I have not had occasion to do so and I'm well aware others
> > have had problems with it: http://snipurl.com/ge49
> >
> > KB891861 is fully uninstallable. YMMV.
>
> but I have seen reports that some problems caused by KB891861 have
> not disappeared even if you uninstall KB891861.
>
> So I would have been very reluctant to install KB891861 on a server,
> and if I did, I would have been sure to have a valid system state
> backup of the OS that I could restore in worst case.

I appreciate you taking the time to explain that.

I'll check with my specialist and install the update as long as they
recommend it and have not yet run into problems installing the RollUp
on other similar servers.

Thanks again.

On Wed, 20 Jul 2005 18:44:19 -0400, "PA Bear" <>
wrote:

>Read the KB article: http://support.microsoft.com/?id=891861 It lists all
>the updates included in the Rollup; they include two (2) Cumulative Security
>Updates for IE5.01 in Win2K SP4, MS05-014 and MS05-020. [But if they're
>*cumulative* updates, why both?]
>
><QP>
>Q3: Should I install Update Rollup 1 even if I have kept my Windows 2000 SP4
>systems up to date?
>
>A3: Yes. Update Rollup 1 contains additional important fixes in files that
>have not previously been part of individual security updates, as described
>in the Knowledge Base Article. In addition, the Update Rollup 1 contains
>additional enhancements that increase system security, reliability, reduce
>support costs, and support the current generation of PC hardware. In some
>cases, the individual binary files released in previous individual security
>updates may have been updated via individual hotfixes to address minor
>compatibility issues introduced in those prior security updates that
>affected individual customers. The latest versions of those files are
>included in the Update Rollup.
>
>Therefore, even if a system is fully up to date with prior security
>releases, Windows Update will still detect and apply the Update Rollup.
>Customers who use managed security update deployment solutions should
>evaluate the need to deploy Update Rollup 1 within their infrastructure
></QP>
>
>The Rollup does not update IE or OE:
>
><QP>
>Update Rollup for Windows 2000 does not contain updates for individual
>Windows components not included with a clean slipstream install of Windows
>2000 SP4. If there are components previously installed or updated on the
>system, the individual security updates must be downloaded separately from
>Windows Update.
>
>Examples include the following:
>
>. MS03-011 - Flaw in Microsoft VM Could Enable System Compromise
>(KB816093) - The Microsoft VM is not included in SP4 natively. However the
>VM may be resident on systems which were updated to SP4 from a prior SP or
>installed by a third party software package.
>
>. Internet Explorer 6 and Outlook Express 6 - Internet Explorer 5.01 was
>originally included with Windows 2000. Service Packs for Windows 2000 only
>service this original version. Microsoft recommends that you install
>Internet Explorer 6 SP1 and the current cumulative Internet Explorer
>security updates on Windows 2000 computers for maximum security.
></QP>
>--
>HTH
>
>~Robear Dyer (PA Bear)
>MS MVP-Windows (IE/OE) & Security
>
>
>Nate Goulet wrote:
>> On Wed, 20 Jul 2005 15:30:26 -0400, "PA Bear" <>
>> wrote:
>>
>> > Is Windows Update offering you 891861? Is Win2K SP3 or SP4 installed?
>> >
>> > Cumulative Security Updates for Internet Explorer address
>> > vulnerabilities in Windows, too. I suggest you keep up-to-date on
>> > these.
>>
>> It's a Windows 2000 Server with SP4 installed.
>>
>> Windows update is offering KB891861. Does that update include IE6 if
>> it isn't installed? (would prefer not to do that).
>>
>> I've spoken to many other consultants both in the forums & in person
>> about if I really need to install IE6 on the server to keep it free
>> from vulerabilities.
>>
>> The vast majority of people i've discussed it with agreed that if we
>> are not surfing the web on the server, then we are fine keeping IE5
>> with it's associated critical updates and leaving IE6 off the server.
>>
>> Are you saying you disagree? If so, i'm not saying your wrong either.
>> Even those i've talked with that are Microsoft certified engineers
>> agreed that Windows will be safe on the server without IE6 as long as
>> the only thing IE5 is used for is doing Windows updates. I know
>> Microsoft always likes to promote their newest stuff, but that doesn't
>> automatically mean IE6 is required just to keep Windows secure.
>>
>> I'd like to hear any comments anyone has to share on this.
>>
>> The way I look at it, we only have one server currently and 30 - 50
>> people depending on it. Just installing a Windows update could
>> potential cause a problem, and if we had IE6 on there, new updates
>> would need to be installed constantly. I'm keeping my fingers crossed
>> every time I run a Windows update. The other issue is we don't have a
>> lot of free space on the C partion, and installing IE6 might chew up
>> more space than we can afford on C. We have plenty of space on other
>> drives. Our specialist had partioned C to only have 4 Gigs.
>> Changing that with Partion Magic sounds risky.
>>
>> The main thing is I want to make certain the server is reasonably
>> protected.
>

I hope you read futher than my first reply here (this thread, and in
Win2K-specific newsgroups). Others running Win2K SP4 are reporting some odd
problems upon installing the Rollup. YMMV.
--
~PA Bear

Nate Goulet wrote:
> I appreciate you taking the time to explain that.
>
> I'll check with my specialist and install the update as long as they
> recommend it and have not yet run into problems installing the RollUp
> on other similar servers.
>
> Thanks again.
>
> On Wed, 20 Jul 2005 18:44:19 -0400, "PA Bear" <>
> wrote:
>
> > Read the KB article: http://support.microsoft.com/?id=891861 It lists
> > all the updates included in the Rollup; they include two (2) Cumulative
> > Security Updates for IE5.01 in Win2K SP4, MS05-014 and MS05-020. [But
> > if they're *cumulative* updates, why both?]
> >
> > <QP>
> > Q3: Should I install Update Rollup 1 even if I have kept my Windows
> > 2000 SP4 systems up to date?
> >
> > A3: Yes. Update Rollup 1 contains additional important fixes in files
> > that have not previously been part of individual security updates, as
> > described in the Knowledge Base Article. In addition, the Update Rollup
> > 1 contains additional enhancements that increase system security,
> > reliability, reduce support costs, and support the current generation
> > of PC hardware. In some cases, the individual binary files released in
> > previous individual security updates may have been updated via
> > individual hotfixes to address minor compatibility issues introduced in
> > those prior security updates that affected individual customers. The
> > latest versions of those files are included in the Update Rollup.
> >
> > Therefore, even if a system is fully up to date with prior security
> > releases, Windows Update will still detect and apply the Update Rollup.
> > Customers who use managed security update deployment solutions should
> > evaluate the need to deploy Update Rollup 1 within their infrastructure
> > </QP>
> >
> > The Rollup does not update IE or OE:
> >
> > <QP>
> > Update Rollup for Windows 2000 does not contain updates for individual
> > Windows components not included with a clean slipstream install of
> > Windows 2000 SP4. If there are components previously installed or
> > updated on the system, the individual security updates must be
> > downloaded separately from Windows Update.
> >
> > Examples include the following:
> >
> > . MS03-011 - Flaw in Microsoft VM Could Enable System Compromise
> > (KB816093) - The Microsoft VM is not included in SP4 natively. However
> > the VM may be resident on systems which were updated to SP4 from a
> > prior SP or installed by a third party software package.
> >
> > . Internet Explorer 6 and Outlook Express 6 - Internet Explorer 5.01 was
> > originally included with Windows 2000. Service Packs for Windows 2000
> > only service this original version. Microsoft recommends that you
> > install Internet Explorer 6 SP1 and the current cumulative Internet
> > Explorer security updates on Windows 2000 computers for maximum
> > security. </QP>
> > --
> > HTH
> >
> > ~Robear Dyer (PA Bear)
> > MS MVP-Windows (IE/OE) & Security
> >
> >
> > Nate Goulet wrote:
> > > On Wed, 20 Jul 2005 15:30:26 -0400, "PA Bear" <>
> > > wrote:
> > >
> > > > Is Windows Update offering you 891861? Is Win2K SP3 or SP4
> > > > installed?
> > > >
> > > > Cumulative Security Updates for Internet Explorer address
> > > > vulnerabilities in Windows, too. I suggest you keep up-to-date on
> > > > these.
> > >
> > > It's a Windows 2000 Server with SP4 installed.
> > >
> > > Windows update is offering KB891861. Does that update include IE6 if
> > > it isn't installed? (would prefer not to do that).
> > >
> > > I've spoken to many other consultants both in the forums & in person
> > > about if I really need to install IE6 on the server to keep it free
> > > from vulerabilities.
> > >
> > > The vast majority of people i've discussed it with agreed that if we
> > > are not surfing the web on the server, then we are fine keeping IE5
> > > with it's associated critical updates and leaving IE6 off the server.
> > >
> > > Are you saying you disagree? If so, i'm not saying your wrong either.
> > > Even those i've talked with that are Microsoft certified engineers
> > > agreed that Windows will be safe on the server without IE6 as long as
> > > the only thing IE5 is used for is doing Windows updates. I know
> > > Microsoft always likes to promote their newest stuff, but that doesn't
> > > automatically mean IE6 is required just to keep Windows secure.
> > >
> > > I'd like to hear any comments anyone has to share on this.
> > >
> > > The way I look at it, we only have one server currently and 30 - 50
> > > people depending on it. Just installing a Windows update could
> > > potential cause a problem, and if we had IE6 on there, new updates
> > > would need to be installed constantly. I'm keeping my fingers crossed
> > > every time I run a Windows update. The other issue is we don't have a
> > > lot of free space on the C partion, and installing IE6 might chew up
> > > more space than we can afford on C. We have plenty of space on other
> > > drives. Our specialist had partioned C to only have 4 Gigs.
> > > Changing that with Partion Magic sounds risky.
> > >
> > > The main thing is I want to make certain the server is reasonably
> > > protected.