Unnaturally long life
CSAs have helped contribute to the prolonged existence of Windows XP in business. The same won’t happen on Windows Server 2003, said Veitch.
“I’ve spoken to Microsoft and it has said it will not cave like it did on Windows XP,” Veitch said.
Those not taking out CSAs reckoned they had a “plan” to cope, so are managing the risk of continuing to run Windows Server 2003 without security updates.
Manufacturing came top here, at 64 per cent, followed by retail, distribution and transport on 52 per cent, “other commercial” on 52 per cent, and then financial services on 36 per cent.
When it comes to the question of why so many will miss the July cut-off and why numbers have jumped so dramatically, the answer seems to be application compatibility and moving some a core of thorny and complex apps.
Paul DeGroot, Microsoft licensing consultant with Pica Communications, said a CSA costs less for some than moving or rebuilding such apps, so a Microsoft agreement can be justified because it helps buy time.
“I have heard a lot of dread about CSAs for Windows Server 2003,” DeGroot told The Reg. “For the most part, no one is casual about the risks. In most cases their hands are tied by application compatibility issues that are either difficult to remedy or potentially more expensive than custom support.”
DeGroot is conducting a survey on price of CSAs, here.
Custom-built and customised apps are the real sticking point: that is, Windows Server 2003 apps are old and might not run on later server operating systems, and apps where the customers lack the source code to move them or where the application's vendor is no longer in business, or the author has left the firm.
In many cases, if you can’t port the app the answer is to try and find somebody who can replicate its functionality with a new app instead.
If you can't migrate "the only solution is to find someone to study the app and duplicate its functionality. That could take many months and cost $100,000 for just one skilled developer", added DeGroot.
DeGroot noted, too, there’s less pressure get off Windows Server 2003 than for Windows XP because the security exposure is less severe.
As a desktop operating system, Windows XP was exposed to direct attack over the web through Internet Explorer and via Office.
But if a sysadmin never used a Windows Server 2003 server console to browse the web or view an Office document then 80 per cent of security updates deemed “critical” were unnecessary, DeGroot said. ®