Will Windows XP still be properly supported by Microsoft and, as a primary development target, by third parties? Is there something XP die-hards have missed, some hidden gotcha that's going to trip them up 12, 18, or 24 months from now?
Of course, there's no universal answer to the Vista upgrade question. Yes, in all likelihood you'll be just fine sticking with Windows XP - at least until Windows 7 ships in 2009 or 2010. But let's not rush to universal judgement. Let's take a close, measured look at the key considerations, and compare Vista's merits against the state of XP on the essential points that IT organisations and end-users care about. And if we can't solve this calmly and objectively, like fair-minded professionals, then let's at least have a good fight.
Are you ready to rumble? Okay, then. Operating systems, return to your corners, and come out swinging.
Round 1: Security
Security is one of the first areas to come to mind when considering a Vista migration. Features such as UAC (User Account Control) and Internet Explorer Protected Mode have been making headlines for more than a year - but not always in the context Microsoft would have wanted. UAC, in particular, has been savaged by critics who balk at its many annoying confirmation dialogs. Just try enabling or disabling multiple network connections quickly or moving a file into a protected folder.
However, even with UAC - which is really just a more visible, 'in your face' implementation of the user account controls that have been built into Windows NT since day one - Vista still isn't fully secure. There are documented ways around UAC involving Internet Explorer, security token privilege escalation, and the exploitation of the 'deprecated administrator' status of the default Vista account model.
More importantly, however, is the fact that most IT shops have already implemented a form of UAC under Windows XP by not allowing domain users to run as local administrators and, in some cases, writing their own 'elevation' utilities to make it all work seamlessly. In practice, these 'locked down' XP systems are in some ways more secure than a UAC-protected Vista system, because they're immune to the aforementioned privilege elevation exploit. To bring Vista systems on par with XP, you need to force users to work with a true non-admin account, as opposed to Vista's 'deprecated admin' account, which puts you right back at square one (that is, where XP is today).
Other security features, such as the updated firewall and more esoteric, internal fixes such as Address Space Layout Randomisation, are interesting but by no means compelling. Most IT shops have implemented a proper hardware firewall solution or third-party software for mobile/remote users, and address-based code exploits usually require some degree of social engineering to get them to work - a phenomenon even Vista can't thwart.
Decision: From a security standpoint, there's just not a lot to compel XP shops to upgrade. Many of the issues addressed by Vista have already been resolved under Windows XP using in-house applications or third-party tools.