Understanding the Windows lifecycle policy (for all you IT Pros out there)


With so many customers relying on IE, it helps to get a solid grasp of the Windows Lifecycle Policy, which at first blush can appear to be a bit cryptic. Fortunately I think I can shed some light on Microsoft’s policy with these simple rules:

  1. We support the version of IE that shipped with an OS or Service Pack for as long as the OS or Service Pack is supported
  2. We support the latest standalone version of IE (that’d be IE 6 SP1) on every OS that’s still supported (unless superseded by a newer version of IE, like IE6 in XPSP2)
  3. As IE & OS Service Packs are released, the older Service Packs are slowly retired from support

Given these rules, you can break down our support policy like this:

  1. IE 6 for Windows XP SP2 is the version of IE supported on Windows XP SP2 (obviously). Similarly the version of IE shipping with Windows Server 2003 SP1 is called “IE 6 for Windows Server 2003 SP1”
  2. IE 6 SP1 is supported on every other OS currently supported: Windows Server 2003 Gold, Windows XP SP1, Windows 2000 (SP4 & SP3), Windows Millennium, Windows 98SE, and Windows 98
  3. IE 5.5 SP2 is still supported on Windows Millennium because Windows Millennium shipped “out of the box” with IE 5.5 installed
  4. IE 5.01 SP3 & SP4 are supported on Windows 2000 SP3 & SP4 respectively because Windows 2000 shipped “out of the box” with IE 5.01 installed
  5. Versions of IE prior to IE 5.01 are no longer supported (IE 5.0, IE 4.x, IE 3, etc.)

If you’re running Windows Server 2003, Windows XP, or Windows 2000, you’ll remain in support so long as you stay up to date with the latest Service Packs. There’s a grace period of 12 or 24 months when a new service pack is released before older service packs are retired. Windows Server 2003 + the latest Service Packs will be in mainstream support through 2008 and in extended support until 2013. Windows XP + the latest Service Packs will be in mainstream support through 2006 and in extended support until 2011. Windows 2000 + the latest Service Packs will be in mainstream support through June 30th of this year and then move into extended support through June 30th of 2010. Please see the lifecycle site for more details about what it means to be in mainstream vs. extended support.

While we still support older versions of IE like IE 5.5 SP2 and IE 5.01 SP4 for the sake of our corporate customers who remain on those platforms, we continue to strongly suggest that all users upgrade to IE 6 SP1, Windows XP SP2, or Windows Server 2003 (+SP1 when it’s released) for the most secure versions of IE.

In the next few months, as we share more information about IE 7, I will blog a bit about IE 7 & the lifecycle policy for it as well.

Until next time!
-Christopher

EDIT: Fixed the Windows 2000 information to accurately reflect that it moves to extended support after June 30th of this year, not EOY.

Comments (44)

  1. Anonymous says:

    I know a lot of people who think that Microsoft’s support policy is terrible. They say things like "I should still get support for Windows NT 4.0 with SP5!!"

    What kills me is these same people routinely accept support policies from third party companies that are far, far worse. I know of a lot of companies, especially in the medical software arena, that drop support for the previous version just months after the next one comes out. And I’m not talking about heart monitor software, I’m talking about billing software and the like.

    Microsoft has perhaps the best support policy of any software company out there. Who else would still be supporting software they made back in 2000?

    James Summerlin

  2. Anonymous says:

    Good info,

    However for previous comment, for corporate people upgrading is a risky business. A failure due to compatibility problems or anything else can result in the person/s being fired.

    Personally if i was in a company position i would remain 1 version behind the current. i.e. i would stay with Windows 2000 which is proven or at the most XP SP1.

    It’s like in Formula 1 (motorsport). In a race do you risk with latest untested parts (which mught give you an advantage) or be a bit slower but be sure to finish the line.

    Just my 2 cents

  3. Anonymous says:

    It cracks me up when I hear Linux advocates go on about this policy in Microsoft products because I remember how quickly major linux vendor Red Hat dropped support for RH9 when they decided they wanted to play a different game instead for a while.

  4. Anonymous says:

    As I can see on my Webserver, a PocketPC Internet Explorer identifies himself as "IE4".

    Is the IE for PocketPCs really based on IE4? Is this IE4 still supported?

  5. Anonymous says:

    It’s impressive that Microsoft make the commitment to support older versions of Internet Explorer.

    Mozilla advocates may complain that new IE versions come at cost (potentially requiring an expensive OS upgrade). However, their own upgrade system is embarassingly weak, with some users still using beta Firefoxes (that didn’t support auto-update), and other users left with multiple versions:

    http://microsoft.weblogsinc.com/entry/1234000507037419/

    or users receiving the wrong platform version:

    http://www.mozillazine.org/talkback.html?article=6159

    or the various bugs in the auto-updater:

    http://www.computergripes.com/firefox.html

    Personally, I don’t mind paying for a bit of commercial reliability. Firefox regularly crashes on my Mac where it doesn’t seem to be able to deal with more that 8 tabs displaying Flickr images. On my PC it is painfully slow compared to IE.

    Keep up the good work Microsoft!

  6. Anonymous says:

    James: The medical software company I work for supports any previous versions that a customer may be on. Must be all companies but mine that drops support like you say. 🙂

  7. Anonymous says:

    A lawyer had to be involved in that post. It is abundantly clear that a significant portion of your customer base wants a simple yes or no answer to a simple Question.

    Will IE7 be available for Windows 2000?

    No matter. I will just head over to http://www.zombo.com "where everything is possible".

  8. Anonymous says:

    Tom, considering how Windows 2000 mainstream support ends June 30, 2005, I think you can figure out the answer.

  9. Anonymous says:

    Tom: I’m not a lawyer. I’m not sure if I should be insulted that you think I might be 🙂

    As for whether or not we’ll have IE7 for Windows 2000, that’s not something I can talk about at this time. Trust me we’ll let everyone know as soon as we can. But don’t look for the announcement here in the blog – we’ll announce it through our normal press channel first.

  10. Anonymous says:

    >In the main Blog Entry…Christopher said:

    "Windows 2000 + the latest Service Packs will be in mainstream support through the end of this year"

    >In the feedback section Chris said:

    " Tom, considering how Windows 2000 mainstream support ends June 30, 2005, I think you can figure out the answer."

    This raises a few questions.

    – Is Chris and Christopher the same person?

    – Which is the correct deadline?

    – Is IE7 coming out this year?

    – Wasn’t Longhorn coming out next year anyway?

    – Is IE7 going to be a standalone browser?

    And lastly, just in cause the issue was forgotten…

    – What about support for PNG transparency?

  11. Anonymous says:

    Tom: "Chris" is someone else and not me. Microsoft employees should always add an [MSFT] tag when they reply so you’ll know it’s us (and if someone who doesn’t work for Microsoft fakes that tag, we’ll nuke their comments and let everyone know).

    Chris is correct – Windows 2000 goes into extended support after June 30th of this year. I’ll edit my original blog to reflect that.

    As for the rest of your questions, they’re not particularly relevant to this particular blog post so I’ll ask that you reserve them for future blogs that deal with the issues you want to ask about (to avoid this becoming some kind of "ask a Microsoft person your favorite question" forum).

  12. Anonymous says:

    I read somewhere that "XP + latest service pack" will be in mainstream support until 2 years after Longhorn ships. Is this true? Otherwise, end of 2006 would be way too early given that Longhorn isn’t shipping until 2006…

  13. Anonymous says:

    Yes, that’s true – XP is LH+2 years, not end of 2006. See the Windows Lifecycle Policy for plenty of details.

  14. Anonymous says:

    Personally, I encourage dropping support of previous builds when a new build is out.

    It seems silly to troubleshoot a problem when you aren’t using the newest version, and the upgrade is free.

    Anybody who claims they don’t have enough time to impliment an upgrade has their priorities all backwards.

    On another note, it’s almost dissapointing in my eyes than IE 5.01 is supported in Win 2000 because it’s the "out of the box" version. I had previously thought IE5.5 was the minimum version supported. Well at least MS admits IE 5.01 is not up to par and ‘highly recommends’ IE6.

  15. Anonymous says:

    Tell me something, will we have Windows in 2020?

  16. Anonymous says:

    Andre Da Costa: yes. So we can see outside through the gaps in walls without letting the cold in!

  17. Anonymous says:

    Wow… This is a pretty lame blog. I’ve just started reading this a couple weeks ago and I thought that there was more happening at IE. Apparently getting one person from the staff to blog on a reasonable schedule is a pretty difficult thing to do. Where is the consistancy?? What are you doing there?? Apparently more important things… Likely not.

  18. Anonymous says:

    While we’re talking about timetables, can you please give us more info about the following two advisories and when a patch will be forthcoming:

    http://www.eeye.com/html/research/upcoming/index.html

    One of them has been reported for 19 days!

    At least tell us workarounds to mitigate the vulnerability in the vulnerable period. Let me guess – reduce ActiveX privileges?

  19. Anonymous says:

    To Joe Sysadmin:

    Releasing details of how to mitigate vulnerabilities increases the chance that attackers could develop an exploit. This is why details of security vulnerabilities should be kept secret as long as possible. Also, from a public relations point of view, it sounds far more serious and gives more ammunition to the open source zealots if Microsoft were to issue press releases saying "Please turn off the following feature because our product is insecure". Better just to roll out the patch when it’s done.

    To this end, I strongly applaud the use of legal threats (as with a recent Sybase product, see more at http://www.computerworld.com/securitytopics/security/story/0,10801,100637,00.html ). This is a very effective deterrent for disclosing details of vulnerabilities in the first instance, thereby making the internet more secure.

  20. Anonymous says:

    Thomas Wagner: I had to do some checking around. As it turns out, PocketPC’s are an OEM product, and Microsoft doesn’t actually directly sell PocketPC’s. So, you’ll have to check with the OEM who made your PocketPC to see what the support policy is for it.

    Jonathan: On Longhorn + Windows XP lifecycle etc. You and Bruce are right, releasing an OS like Longhorn does have an effect on the XP lifecycle in some way (just as releasing an SP affects earlier SP’s), but until Longhorn is released I can’t say definitively what it will be. So, until then, we can all only acknowledge that Longhorn might impact the XP lifecycle (the "+2 years" part) and leave it at that. Also that’s why I mentioned a future IE 7 blog: its release might affect the lifecycle for other OSes or Browsers or Service Packs.

    Nathan: I’m sorry you’re not finding the blog useful. We’re trying to blog on topics that span our entire user base (not just IT pros or web devs). If you have an idea for a blog topic that hasn’t already been beaten to death, let us know!

    Everyone else: thanks for your comments. I’m glad to hear that folks think our policy makes sense. What’s curious is that typically our blog comments are full of comments from, shall we call them "browser enthusiasts," but this time it’s been pretty quiet. Is Microsoft the only company with a lifecycle policy worth talking about?

  21. Anonymous says:

    Christopher – I appreciate you responding, the main thing that I’m upset about is the lack of updating. I don’t see much activity by the MS employee’s. I’m glad to see that you’re reading this and responding. I do find the posts interesting, but I’d like to see the blog updated 3 or more times a week (as a blog should)

    Chloe – You misunderstand the whole Sybase issue. Read this article http://www.eweek.com/article2/0,1759,1778403,00.asp

    Nathan

  22. Anonymous says:

    "Chloe – You misunderstand the whole Sybase issue."

    I don’t misunderstand it at all. In my opinion no vulnerability should ever be disclosed even if it is patched, and there should be legal avenues open to vendors if this is ignored.

    The focus of security testing has for too long been in the hands of those without appreciation for the real-world consequences of their disclosure. Lawsuits and/or criminal prosecution are excellent ways to help prevent that.

    For an example of how the different models work, take the current JavaScript engine exploit in Firefox. After public disclosure Mozilla had to run around and patch very quickly, probably not testing enough in the process. They will be forced to rush their 1.0.3 rollout.

    Compare to these vulnerabilities discovered. Only eEye and Microsoft know how to exploit these vulnerabilities. This means there is no particular hurry on the part of MSFT to patch. They can do things on their own terms, which will probably result in a better patch.

    If in addition, eEye don’t disclose details AFTER the patch (which is the issue with Sybase) then hackers can’t exploit older systems, or develop the vulnerabilities in new ways. Powerful information disclosing how to exploit popular software should definitely be kept secret, at all costs. After all, there are very valid national security concerns involved too!

    Sybase’s policy shifts the balance of how to control security policy back to the vendor, which can only be a good thing.

  23. Anonymous says:

    "If you have an idea for a blog topic that hasn’t already been beaten to death, let us know!"

    Several weeks ago, there was a blog which listed a number of topics that would be blogged about over the coming weeks. They’ve hardly been touched, and I’m looking forward to reading more about them.

    One of the topics was "standards, standards, standards: say something!" I wonder if the standards blog entry from a couple weeks ago was supposed to be "the" entry on this topic. I hope not, because it leaves us with a lot more questions than answers.

    How long till the "we can’t talk about IE7" ban is lifted? I was optimistic when IE7 was announced that ok, now they’ll start talking about what’s going on. But it doesn’t look that way.

    Look at Avalon and Whidbey/VS2005. They’ve been discussed in depth for years and they’re still a ways away from release. Why the hush on IE?

  24. Anonymous says:

    Chloe,

    I see your point. I haven’t decided which side of the fence I’m on, I like the process to be open for the public, but with that comes the inherent danger.

    I’m just interested in finding out if you want to know:

    a) if there was a security issue (with no details named)

    b)for it just to be kept a secret (no knowledge to the public).

    c)other… (please fill in)

    Thanks

  25. Anonymous says:

    "Is Microsoft the only company with a lifecycle policy worth talking about?"

    Sometimes it feels like they’re the only company with a lifecycle policy full stop.

    I’ve lost count of the number of times we’ve been stung by a vendor who has released a new version not long after we purchased the previous release – only for them to tell us we need to buy an upgrade to fix a bug/flaw because they no longer fix the old version.

    It’s one of the things which Microsoft have always done very well with, so I’m not at all surprised that there aren’t all that many people complaining (well maybe a few VB6 devs but they can hardly say they didn’t see that coming!)

  26. Anonymous says:

    Well, it seems that that events have borne out my viewpoint. See:

    http://weblogs.mozillazine.org/asa/archives/007898.html

    for an insider view of the disaster that is Firefox’s ‘open’ security.

    For your questions Nathan, I think the existence of a patch in itself gives away the fact that security vulnerabilities exist. So you don’t lose much by disclosing that the problem exists. However, it might motivate hackers to try harder, so if the security patch can be combined with a functionality patch then there is then no real need to disclose the security aspect. I do think actual details of vulnerabilities should be kept very secret.

    Sharing vulnerability information with trusted computer security professionals, under strict NDA, will help improve security further. There is very little further gain from releasing details to the world, and far more to lose.

  27. Anonymous says:

    Jonathan – Your feedback on standard discussions is noted. I’ll follow up with folks on Chris Wilson’s team about blogging on that topic. Remember, Chris is gone on parental leave for a few weeks which is probably why that slowed down.

    Nathan & Chloe – What you’re talking about is "responsible disclosure." People who find security flaws should, in my opinion, work with the vendor privately to inform them of the flaw and the vendor should keep the finder in the loop as to when a fix can be delivered. I’m aware that in years past folks felt like that didn’t work (they’d send mail to a company and would be ignored) but TRUST ME that shouldn’t happen around here (and I’m sure at many other companies too) any more 🙂 There’s probably more info on responsible disclosure on the MSRC blog at http://blogs.technet.com/msrc/default.aspx (at least, that’s the best place to talk about it since it’s not just an IE thing). I cannot stress enough how good for everyone responsible disclore is.

    AndyC – thanks for your thoughts on our lifecycle. There was a lot of work done in recent years to try and come up with a lifecycle policy that made sense for our customers. I’m glad to hear that it makes sense to you!

    -Christopher

  28. Anonymous says:

    @Christopher : So if our feedback on standards is noted, can I conclude that you’re working on implementing what we wanted ?

  29. Anonymous says:

    FlorentG: You can conclude that we’ll blog about IE & standards support again in the future! 🙂 I can’t speak about what we are or aren’t doing in IE 7 yet. To repeat what Dean, Chris, and others have said in previous blogs: we hear & appreciate feedback about which useful, specific standards people would like us to support.

  30. Anonymous says:

    While I think it’s good that Microsoft supports outdated versions of their products, it is also comforting to know that their marketing team has been advocating Updates feverishly of late which should do a great deal towards making sure people are using IE7 and not IE6 or even IE5.5 in the future. From a web-developer standpoint, this will hopefully mean no more supporting IE5.0-5.5 as an industry standard (cheer!) Of course, even supporting IE5.5 isn’t as bad as it was a few years ago, when you had to support Netscape 4.x (where every minor version of the browser rendered your page differently – ick!)

  31. Anonymous says:

    "we hear & appreciate feedback about which useful, specific standards people would like us to support."

    So you’re not just interested in which parts of the standards people want? That would be a step in the right direction.

  32. Anonymous says:

    David Naylor: actually that’s exactly what we want. Specifics are invaluable. I was referring a bit to Chris Wilson’s post where he pointed out that a bunch of folks ask for "full <insert some standard or not really a standard here>" but don’t really have any information to back it up. It’s the "script kiddie" request for standards. So actually, specifics about what part of which standards, and why, is the best kind of feedback we can receive. Thanks!

  33. Anonymous says:

    So, what’s wrong with refering to the W3C for the specifics? If I say "I would like you to fully adhere to CSS 2.1" (which I truly do), I expect you to know that the CSS 2 revision 1 details are available at W3C.org.

    I feel the whole point of specs and standards is that they be implemented to their full extent, or at least as far as practiacally possible. (Some standards are apparently a little ambiguous.)

  34. Anonymous says:

    Let’s just get some more postings. It’s been over a week since the last posting. Surely *someone* on the IE team can spare a few minutes to write a posting now and then… 🙂

  35. Anonymous says:

    Christopher Vaughan [MSFT] Wrote:

    "As for whether or not we’ll have IE7 for Windows 2000, that’s not something I can talk about at this time."

    Which only makes the above blog entry more confusing to me. Why reference a OS lifecycle policy that may or may not apply to IE7?

  36. Anonymous says:

    > If you have an idea for a blog topic that hasn’t already been beaten to death, let us know!

    The feature set and standards support of Internet Explorer 7.

    > What’s curious is that typically our blog comments are full of comments from, shall we call them "browser enthusiasts," but this time it’s been pretty quiet. Is Microsoft the only company with a lifecycle policy worth talking about?

    No, it’s because you changed the method of posting a comment recently. Now, when you scroll to the bottom, it looks like you’ve switched comments off. The link at the top doesn’t stand out at all. Big usability mistake.

    > Compare to these vulnerabilities discovered. Only eEye and Microsoft know how to exploit these vulnerabilities.

    You cannot possibly know this. For all you know, your servers could have been compromised months ago by a blackhat who made the same discovery but chose not to share it.

    > Well, it seems that that events have borne out my viewpoint. See:

    http://weblogs.mozillazine.org/asa/archives/007898.html

    for an insider view of the disaster that is Firefox’s ‘open’ security.

    Asa said:

    We’ve run into one of those "fix the root cause or patch around the symptoms" trade-offs and to prevent future security issues, we’re leaning towards the "fix the root problem" fix.

    You consider that to be a disaster? That behaviour is exactly what I want from vendors. It’s a hell of a lot better than some of the "fixes" Microsoft has put out in the past, e.g. a patch that looked for and blocked the proof-of-concept, but didn’t actually fix the vulnerability (that was some "crash the computer with a malformed packet" exploit, IIRC).

    > You can conclude that we’ll blog about IE & standards support again in the future! 🙂 I can’t speak about what we are or aren’t doing in IE 7 yet.

    Can you speak about when you can speak about them? It’s been months and we still have virtually no information beyond some rumours that you wont touch CSS. Surely you have some idea of what you are attempting?

    I asked for a simple yes or no regarding PNG alpha a while ago, with no answer. Can you at least tell us *when* you will say yes or no?

    > a bunch of folks ask for "full <insert some standard or not really a standard here>" but don’t really have any information to back it up.

    What information would you like? I have asked for HTML 4.01, CSS 2/2.1, PNG 1.0 and HTTP 1.1, and I don’t consider myself to be a "script kiddy" in the slightest.

    I’d provide the information to "back it up", but I’m unsure what you need that you don’t already have. You can read a specification, right? The information’s right there.

  37. Anonymous says:

    So given the policy on the page linked to, does that mean that MAC IE 5.2.3 has an end of lifecycle on Jun 16, 2008 given a release date of 2003-06-16??? That seems a bit of a stretch given the fact that its development has been dropped. As a web dev, I’m a bit curious on that decision.

  38. Anonymous says:

    Hey everyone, Christopher here with another in a string of Windows Lifecycle reminders.

    Windows 98,…

  39. Anonymous says:

    I’ve been getting questions from folks lately who are wondering what will happen to IE6 (SP1) when…