I've never been one to upgrade Windows. You know how, with each new version of Windows, you can either format the drive and start from scratch or let the setup migrate settings and applications? While keeping settings sounds wonderful in concept and it would be great to save the full day it takes to reinstall apps, I prefer to just wipe the slate clean and get rid of all the built-up detritus that inevitably clogs a system's arteries after even mild use. Besides, most people need to rebuild their systems every year or so anyway, to take care of flakiness and other random problems. So why not do it when moving to a new version of Windows?
But now it's official from the mouth of Microsoft: what they call “wipe-and-load” is more secure! The TechNet article Upgrade or Wipe-and-Load: Choosing the Best Scenario for Deploying Windows XP Professional by Jerry Honeycutt, ends with “a strong recommendation that you choose to use wipe-and-load instead of upgrading computers.” Gosh, I love being right all along, even if it was for the wrong reasons!
The security issues are the most compelling reasons for this recommendation. Microsoft tries to logically migrate settings from one version to another in an upgrade, but sometimes has to make less secure decisions in order to avoid breaking apps (something it puts far too much emphasis on, IMHO). A prime example of this is when you upgrade from Win9x to XP. Members of the User group in 9x are put in the Power Users group in XP, a group that has most of the permissions of the Administrators group. I call it Admin-Lite, certainly not the way to take advantage of Least Privilege.
But what really scares me is that the upgrade process makes some rather complex decisions about what settings to keep and what to change. This means that after an upgrade you're not starting from a known state: the settings are neither those of the old OS nor those of a clean XP, and the settings will be different depending on what OS you're upgrading from. That's just way too random for me, and helps make my life as a developer a nightmare (unless someone else is doing technical support!)
The problem, of course, is that “legacy” applications (those are apparently apps that weren't written with care and concern for security, because the world was a safer place back then) are even less likely to work in a wipe-and-load scenario than upgrading. But that's true any time you change OSes, so why not end up with broken apps and a more secure computer? And with WinXP SP2 causing trouble--albeit well-advertised trouble--more apps are going to choke.
An added benefit is that any privacy issues on the old machine, such as from spyware or a well-built-up store of data and settings in IE that can expose information, disappear if you start afresh.
But let's face it: this is the real world and sometimes you've got to upgrade. Just be aware that you'll end up with a Windows machine that is configured like no other, so be prepared to deal with it.