Windows Server 2003 SP1, WSUS and Security Updates

Recently, we found some systems (sadly, customer systems) that  weren’t getting any Security Updates anymore. Much more sadly, them is running Windows Server 2003, and as you know Security Updates are pretty important for Windows Systems.

At the time of finding this, I had no clue as to why the were not getting any updates. At first we thought it had something to do with the WSUS server, so I upgraded the WSUS 3.0 SP1 to SP2. Since that didn’t solve nothing, I went searching for a internal VM, that showed the same symptoms and I quickly found one.

After cloning said VM (since that one is running in the production environment), a bit of hacking on it (you know, disabling the network of the VM, switching IP and Hostname, running NewSID, …) I went cracking at the problem.

Stopped the Windows Update Service, cleaned the %WINDIR%SoftwareDistribution, and started the Windows Update Service again; triggered a wuauclt.exe /detectnow /reportnow. Yet again the same result. “0 updates detected”. Shite.

Went ahead, and tried what Microsoft in their “If you have trouble with Windows Updateknowledge base article, but then again. Same result.

Another try, was simply reinstalling the Windows Update Agent, which also resulted in the same old … “0 updates detected”

Due to some discussion with my co-workers, I ended up clicking through a Microsoft KB for a recently released patch. What I found, was that any newer update I looked at, only had “Windows Server 2003 with Service Pack 2” listed as download element. Shite.

Somehow, I stumbled over a link (in the same KB article) detailing the Support Lifecycle for Service Packs in general, as well as the Lifecycle announcements for each Service Pack.

End of the story and solution to my problem basically is, Microsoft terminated the Lifecycle for Windows Server 2003 SP1 on 14.04.2009, which is the target date after which Security and Critical Updates are no longer issued for systems running SP1.

In the end, I don’t really blame them, since SP2 was already released in 2007. But what I would’ve expected is some kind of press release or a public note, that Security releases are gonna end. Another construction area identified, more work for me!