Microsoft is only partway into delivering the long-awaited Service Pack 2 for Windows XP to users, yet it has already begun releasing fixes for problems that the mammoth update can cause, however inadvertently.

The company has issued what is likely the first of several "hotfix" patches – patches that address specific problems - which developers and analysts say are just a fact of PC life.

"Writing software is a complicated endeavour done by humans. We don't see SP2 as the be-all and end-all, that there will no longer be a need for future patches," says Rob Enderle, principal analyst for technology analysis firm The Enderle Group.

So if you're looking for SP2 to solve all present and future problems, keep dreaming. Meanwhile, though, only a tiny fraction of Windows XP users will need to get the new hotfix, - they usually only apply to a few customers, and are not generally distributed to the vast majority of users.

This first hotfix for SP2 patches a problem that it creates for some users of virtual private networks, telecommunications software that is generally used to let workers connect securely from a remote location such as home or the road. Most, if not all, affected VPN users will get the hotfix through their employer's IT department.

Its release, especially so soon after the service pack's rollout, is a reminder that no software is ever perfect, and over time it will need to be patched repeatedly.

In addition, because of the popularity of Windows, many people - both crackers and legitimate security researchers - are constantly searching for as yet undiscovered security flaws that can be exploited.
For instance, earlier this week German Internet security portal Heise Security published a security bulletin describing two holes in SP2.

Are they actually bugs? That's still in question, because Microsoft usually does not acknowledge previously unknown security flaws until it has tested and verified the problems and is ready to patch them.

Security has been a dominant focus, as well as a major source of pain, for the software giant over the past few years, particularly as the world moved onto the web. Microsoft has touted SP2 for nearly a year as a heavyweight advance in securing users' PCs from attack.

However, Microsoft execs like to say that their toughest competition is the huge installed base of previous versions of its own products. Despite all the focus on Windows XP, that statement is quite true.

Last January, Microsoft buckled under user demands and agreed to continue to provide patches rated "critical" on its four-tier severity rating scale for Windows 98, Windows 98 SE, and Windows Millennium. The company extended the support a year and a half beyond its intended expiration, until 30 June 2006.

But although Microsoft has been diligent about patching its more recent Windows versions since that announcement, its developers have lagged in posting patches for Windows 98 and Me users.

Two recently announced security holes have not yet been patched for those older systems. One patch, MS04-023, is five weeks behind the Windows XP equivalent, while a second patch, MS04-025, is nearly three weeks late.

A Microsoft spokesperson reaffirmed promises that the company will continue to release critical updates for Windows 98, 98 SE, and Me, but declined to commit to a timeframe. Nor would the spokesperson say whether patches might arrive at the same time as patches for newer Windows versions.

She also declined to comment on why the patches for the older operating systems are running behind, although it's likely Microsoft's developers have been focused on deploying SP2 and quickly patching any consequent bugs.

If you use Windows 98, 98 SE, or Me, however, you're far from alone. More than 40m PC users worldwide still run the older operating systems, according to research firm IDC. And Microsoft CEO Steve Ballmer recently said an estimated 650m PCs are in use globally, which would mean that roughly 1 in 16 users still has one of those older systems.

Luckily, say analysts, many of those users of aging software are not connected to the internet. Many who are online use only dial-up connections, so they are likely to spend less time online and are at smaller risk of attack than business or home users with broadband connections.

Nevertheless, Microsoft has an admitted responsibility to keep protecting those customers, industry watchers say.

"It's still a large number of people who potentially are impacted," says Dan Kusnetzky, vice president of system software research at IDC.