Ask the Microsoft Experts
Q: Currently we have a mission-critical system running Microsoft Windows NT Server 4.0 with Service Pack (SP) 4 applied, but not SP5 or SP6. On this system, we run a Microsoft SQL Server™ 6.5 application provided by a vendor. What steps should we take to protect this system?
A: Windows NT Server 4.0 SP6a will be supported with free security patches till December 31, 2004; Windows NT 4.0 SP4 and SP5 are no longer supported. SQL Server 6.5 is also not a supported platform anymore.
We recommend that you work with your application vendor to provide application support for the supported Windows (Windows NT4 SP6a, Windows 2000 SP4 or Windows Server 2003) and SQL Server (SQL Server 2000 SP3) platforms. We also strongly advise that you assess internally and discuss with your vendor the risk of not keeping your systems up to date with the latest security patches.
Here’s why Microsoft doesn’t provide support for critical security issues on older platforms. In order to provide this support for Windows for each older service pack, Microsoft would need to examine the differences between that specific service pack and the current service pack binaries and identify which additional components from the current SP would be required to fully support this update, sometimes including significant portions of the newer service pack in such a down-level update. In many cases, fulfilling modern security requirements requires significant architectural changes which cannot be delivered in either a patch or a service pack.
Microsoft would then have to fully test the update on the down-level service pack machines for a wide variety of applications, scenarios, and interoperability with all newer service pack levels to ensure an appropriate level of quality to enable widespread deployment characteristic of a security update. This multiplies the configuration testing required and would require significant additional time to test security fixes, resulting in ever increasing delays in releasing the security fixes while jeopardizing additional quality and compatibility due to the sheer number of potential customer scenarios to be tested.
Because newer service packs include security fixes which may not have been made available separately, the result is an older service pack which is still not as secure or as reliable as the most current service pack level, with only specific security fixes available. We hope this helps explain Microsoft’s support policies for service packs, as well as currently supported operating systems. You can refer to more detailed info at http://www.microsoft.com/lifecycle.
The steps for upgrading your environment are as follows:
Upgrade to Windows Server 2003.
Upgrade to SQL Server 2000 SP3. SQL Server 6.5 is out of support entirely.