The computer security picture became unexpectedly murkier after the release of Microsoft's new Service Pack 2 for Windows XP. Murkier because although downloading security patches seems like a no-brainer, there are reasons why this huge package should be handled with caution.

Service Pack 2 is almost an upgrade, rather than a patch, of Windows XP. And that means it's going to have its share of bugs, many of which have begun to be reported in various online forums. It makes sense to let others test the product while the shakeout period continues.

Microsoft's biggest target with SP2 is people who don't run security software and thus become prime targets for hackers. SP2 not only consolidates a string of the company's previous fixes, but also adds strong default security settings. That makes for an 80 MB download, big enough that dial-up users will choose the free CDs Microsoft will distribute rather than getting it online.

Another point: Microsoft has published a list of 50 programs and games that may not work properly after the SP2 upgrade, including such stalwarts as AOL and Microsoft's own Office. One reason is that SP2 will enable the Windows firewall by default, meaning that users will have to change the firewall settings (or turn off the firewall) to let programs that need to reach the Net pass through.

You can find out more firewall issues with SP2 at www.microsoft.com/windowsxp/sp2/.

But some of these problems may not be due to the firewall. Microsoft has also listed more than 200 programs that will behave differently after SP2 is installed. Some developers will change their programs to work with SP2's tighter security; give them time to work.

In spite of all this, SP2 is a step in the right direction. We have to tighten security in a world where viruses attach themselves to unprotected computers and turn them into servers that distribute spam or new viruses and worms.

So I recommend going slow on the upgrade at the same time you plan to move to it eventually. Let the bugs be removed first, and let developers tweak their programs to work well with the new XP. In the meantime, you still need strong security, and that means making sure you're doing what you should have been doing all along. Run an anti-virus program. Run an anti-spyware program. Use a firewall.

And, of course, keep current with all other patches to your operating system software. If you do all these things, you will be able to delay the SP2 upgrade while computing in safety. Then realize that you still have work to do about security, with or without SP2.

For one thing, even the upgraded Microsoft firewall does little to handle spyware. This insidious stuff can clog your system, accessing the Internet to report back on your network activities and becoming an open conduit for others to use your machine for their own purposes.

The free AdAware can handle spyware (www.lavasoftusa.com), but here, too, there's a caveat: Any time you use anti-virus or anti-spyware programs, you need to run regular updates. It's not enough to have the program -- it has to be current. Keeping this kind of software up to date usually involves only a single click, and in some cases, like Norton Anti-Virus, it can be done automatically.

Finally, consider your subscriptions. In a recent survey, Symantec found that 47 percent of its anti-virus users thought subscriptions never needed to be renewed. In fact, those that don't renew are at risk from any new viruses. Security isn't optional, and no matter which programs you choose to run, they have to be maintained.