• United States



Windows XP SP2 or Windows Vista – Which Did Better in 2007?

May 14, 20082 mins
Data and Information Security

You’ve been hearing the stories about how people just want to stick with Windows XP SP2, but Windows Vista security is supposed to be better.  Do you wonder how many vulnerabilities and patches each one had in 2007?

In the wake of my Windows Vista One Year Vulnerability Report, which compared the “first year of availability” of several products, I received many comments along the lines of “of course Windows Vista beats Windows XP as it shipped in 2001, but what about the current Windows XP SP2?”

I set out to answer this question, at least for 2007 and the result is a short paper analyzing vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2 for calendar year 2007 and a brief analysis to see if any benefit is apparent for users of one OS over the other.  You can download the full paper here.

Here is the chart breaking down the vulnerabilities by Microsoft severity ratings

I found that Windows Vista offers benefit over Windows XP SP2 in the following ways for 2007:

  • Windows Vista had 30% fewer Security Bulletins than Windows XP
  • Windows Vista had 20% fewer vulnerabilities than Windows XP
  • Windows Vista had 28% fewer Critical and Important vulnerabilities than Windows XP
  • 26 vulnerabilities on Windows Vista are less severe for any users running as standard user

Jeff Jones is a 24-year security industry professional that has spent the last several years at Microsoft helping drive security and privacy progress as part of the Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line. These latest positions cap a career focused on security, managing risk, building custom firewalls and being involved in Darpa security research projects while part of Trusted Information Systems. Jeff is a frequent global speaker and writer on security topics ranging from the very technical to more high level, CxO-focused topics such as Security TCO and metrics. Jeff is also a contributor the Microsoft Security Blog ( and writes on a wide range of personal interests (e.g. books, poker, gaming) at