Survey: One-Fifth of Servers Still on Windows Server 2003

There are just two months left before Microsoft pulls the plug on Windows Server 2003 support, but a significant portion of enterprise servers are still running the OS, according to a recent Softchoice Corp. survey that will be published this month.

Softchoice, a Microsoft large account reseller and managed services provider based in Toronto, Canada, used its Windows Server 2003 TechCheck service to gather data from about 87,000 client servers between October 2014 and March 2015. The company found 21 percent of servers still run on Windows Server 2003. That's only 7 percentage points down from the year-ago period.

The 21 percent figure is "a lot higher than what I thought," said Tim McKellips, Microsoft practice manager at Softchoice, in a phone interview.

Windows Server 2003 is set to reach the end of its extended support period on July 14, at which point Microsoft will stop providing updates and security patches for the product. However, the security fallout may hit organizations even sooner: As InfoWorld noted this week, a patch issued in Microsoft's most recent Patch Tuesday rollout excludes Windows Server 2003 even though the OS is considered an affected product.

Security update MS15-050, which patches an elevation-of-privilege flaw in Windows Service Control Manager, is unavailable for Windows Server 2003 "because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems," Microsoft said in its bulletin. "Microsoft recommends that security-conscious customers upgrade to a later operating system in order to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide."

Aside from the significant security risks -- Microsoft issued 37 "critical" patches for Windows Server 2003 in 2013 alone -- using Windows Server 2003 beyond its support deadline also puts organizations in danger of falling out of compliance, which could have ramifications for their overall operations.

"The problem is what July 14 represents," McKellips said. "A bigger problem is going to be around what happens to other parts of your business. [With] Server 2003, you're more exposed, but that doesn't necessarily mean you'll be compromised on Day 1. [But] do you have a need to be PCI-compliant for credit card data? You won't pass a compliance audit anymore. You won't be able to meet safety requirements for data security. The server might function but your ability to meet or exceed regulatory or compliance requirements may just vanish."

Besides the amount of Windows Server 2003 stragglers, another surprising finding in the Softchoice survey relates to which platform organizations are deciding to migrate to. Microsoft's recommended migration paths from Windows Server 2003 are Windows Server 2012 or Windows Server 2012 R2. However, Softchoice found that a full 66 percent of the server systems it surveyed run Windows Server 2008, while Windows Server 2012 clocked in at only 12 percent.

"Organizations are choosing to upgrade to Windows Server 2008 in favor of Microsoft's newest offering, Windows Server 2012," the company said.

This finding runs counter to expectation, according to McKellips, considering Windows Server 2008 will reach its extended support deadline in 2020 compared to 2023 for Windows Server 2012. "We found it really interesting that people weren't taking more of a maintenance-free extra step to go to 2012 [and] buy themselves a much longer support cycle," he said, adding, "This is not a phenomenon we see often in other on-prem scenarios like Exchange or SharePoint. Typically, people will leapfrog a version if another version is out. They go to the most current."

McKellips attributed the unexpectedly high number of Windows Server 2008 moves to organizations being overwhelmed by the amount of migration options they have. When Windows Server 2003 was released 12 years ago, McKellips said "there was only one option" for organizations to migrate to, and that was whatever the next Windows Server version happened to be. For organizations stuck in this mindset, Windows Server 2008 is the obvious choice.

"Now there are four or five different destinations," he said. "You can go to cloud, you can go to service in a cloud, you can go to Office 365, you could go to virtualization on-prem or off-prem. There are a lot of different choices that you have that you didn't have with that workload. And that creates an inflection point that I think is tough for organizations to swallow."

For Microsoft partners, he said, the key is to assess a customer's particular server needs and perform a prescriptive analysis to determine which of these choices would work best.

Realistically, a percentage of organizations will be unable to migrate away from Windows Server 2003 before the support deadline. This could be due to a number of factors, including application-compatibility issues or budget or time constraints. For these organizations, Microsoft does offer a stopgap in the form of a Custom Support Agreement (CSA). An organization that has purchased a CSA can continue to receive critical security patches from Microsoft, but only for a limited time after support ends.

A CSA can also be extremely expensive, requiring a high entry payment that doubles every year that it is renewed (for Windows Server 2003, Softchoice estimates that it can cost "$200,000 or more per year"). In its guidance for partners that are helping clients move away from Windows Server 2003, Microsoft emphasizes that a CSA should be offered only if a customer has a documented plan for migration.

About the Author

Gladys Rama is the senior site producer for, and