Here's an interesting article about the design and production of Windows XP SP2.  Some callout items...

  • "The initial vision was, we were going to enable the firewall, and we were going to ship it." [but it grew and grew,] "And so at that point, I sent out a mail to everyone in the division saying, "This is what we're going to do. We're going to take a little bit more time to do it. And if you want to submit a security feature, you should do so, and then show up at this room." Well, the next day, it was standing room only"
  • "Jim [Allchin] said, we're going to do it big, and we're going to do it once. If we're going to break everything, let's break everything once, but let's fix the problem."
  • "There are a couple of things I hate to do. One is shortcuts and hacks. Every time someone would bring in an app shim, we would say, let's take a step back and look at this. Are you just shimming that application, or are you shimming a symptom? Let's look at a core fix, or a core change, or a Group Policy setting, or something other than an app-by-app fix."
  • "You can never have the expectation that you won't have any problems. I think it's unfortunate that a lot of people, in the beginning, understood that this was a step, and then suddenly it became a panacea for security. Now, I think people understand that it's a step, it's a journey we're going on. And so far so good."
  • "I still get email. I just got one in the last couple of days where some guy said, you know, every day for the last X number of months, I've had to reboot my SP1 system in the morning prior to working, in order to have a reliable [system]. And then he showed his system uptime for XP SP2, and he's been running it for 32 days without a reboot. He said, you guys just did a great job. It's cool to see that that feedback is still coming in."
  • "Microsoft has formalized, for all intents and purposes, a Security Business Unit. Before, with security, each of the individual teams were responsible. And we still have that today, but there's more of an effort now to have a specific business unit focus. So there's some teams that are looking at some of the big [issues] today that we all know about, spam, pop-up blocking, the things we're doing in IE [Internet Explorer]."