Windows Server 2003's end of support: Should users play custom patch roulette?

With Microsoft's Windows Server 2003's end of support date looming, will those still using the operating system decide to play custom-patch roulette?
Written by Mary Jo Foley, Senior Contributing Editor

With Microsoft's end of support for Windows Server 2003 now less than six months away, some customers' thoughts are turning to custom contracts that will allow them to continue to receive updates to that product.

After July 14, 2015, Microsoft will no longer issue fixes or updates of any kind for Windows Server 2003, as the company has been warning customers for a while now. Microsoft is continuing to advise customers still running that OS to move to Windows Server 2012 R2 (its most recently released version of Windows Server) and/or Azure.

Custom support agreements are nothing new, as Windows XP users know. Via these contracts, which Microsoft makes available to its Premier support customers for a fee, users can continue to get security updates for a set period of time for a no-longer-supported Microsoft operating system.

Typically, the costs of those type of custom contracts are quite high. But in Windows XP's case, Microsoft is believed to have slashed the prices substantially shortly after the company revoked support for the OS on April 8, 2014.

Just a quick reminder as to what "end of support" means in these cases. Customers can continue to use their unsupported products, but they will no longer get any kind of updates, including security updates, for free from Microsoft. Only those customers who pay for custom contracts and who agree to adhere to a phase-out schedule for the unsupported software are eligible to continue to get updates designated as "critical" and "important."

According to a February 16 post on The Register, some Windows Server 2003 users could end up paying up to $600 per server to continue receiving Windows Server 2003 patches from Microsoft. Microsoft isn't verifying this figure; when I asked, I received this statement via a spokesperson:

"Custom Support costs can vary, depending on specific customer needs, such as the number of server instances requiring continued support. We recommend customers work with their Microsoft Account Representative to determine applicable pricing for their environment."

At this point, there are no guarantees that Microsoft will do what the company seemingly did with XP, in terms of cutting custom contract pricing.

Pica Communications Principal Consultant Paul DeGroot said that customers may benefit from playing a bit of "brinksmanship."

DeGroot analyzed how many critical Windows Server 2003 patches Microsoft issued over the past five years, and found that the top seven issues were all related to "rendering of some ASP.NET pages." He also found that a number of the recent critical patches were relevant only for specific configurations, such as for Itanium Servers only.

"Custom Support Agreements are retroactive. If you wait for a year and there's finally a critical update that really counts, you'll pay retroactive to the end of support. In other words, if you don't pay Microsoft now, it won't cost you more to purchase it later, and you'll still get critical updates," DeGroot noted.

Playing custom-patch roulette seems like risky business. In addition to the obvious security concerns due to running unpatched software, customers also are chancing compliance violations. But given many customers still won't be ready to pull the plugs on their Windows Server 2003 boxes on July 8, 2015, when support ends, some may decide to take the risk.

Editorial standards