As the Conficker worm continues to burrow into more Windows systems, it's become apparent that not only are many users failing to keep up with their patching, but many others are running older versions of Windows for which patches aren't available.
"During Conficker we realized that a lot of customers are on unsupported OSs," blogged Roger Halbheer, Chief Security Advisor of Microsoft EMEA (Europe Middle East and Africa).
"Unsupported," in this case, means unsupported by Microsoft. Microsoft continues to update and patch operating systems and other products for free for roughly five years from the time a product is first released. Then the product enters the "extended support" via which volume licensees can purchase an "extended hotfix agreement" in order to continue to get full support from Microsoft. Security fixes and patches are an exception that don't require the purchase of an extended support agreement; Microsoft continues to provide those during the extended phase for all users for free.
But once the extended support phase ends and a product is "retired," Microsoft no longer provides fixes -- even security-specific ones.
(Microsoft's lifecycle policy is actually far more complex than I'm explaining it here. The best way to try to figure out when support expires is to check Microsoft's Support Lifecycle pages.)
One Windows release for which the end-of-support date is approaching rapidly is Windows Server 2003 Service Pack 1 (SP1), warned Halbheer.
On February 27, Halbheer blogged:
"If you look at that (the Microsoft lifecycle page), you will see that Windows Server 2003 Service Pack 1 will be retired on 14. April 2009. This means that this is the last time you will get Security Updates for SP1! If you did not already, please start to roll-out SP2 immediately."