Microsoft DLL hell 2.0: the Side by Side assemblies

This not just a rant against microsoft but a pratical article for all developpers using Microsoft Visual Studio 2005 to build their product.
At the beginning of August 2009, Microsoft issued a security patch KB971090 on its Microsoft Visual Studio 2005 product: the result was that when we recompiled our plugin with this updated Studio, it would not run on other PCs. The symtoms were:

  • Our ActiveX would not register on the system, complaining that the CRT or MFC assembly could not be found (to be detected by opening the Event Observer).
  • Our Fireforx plugin would not load.
  • If you have a standalone application and have upgraded to Internet Explore 8, you may have the complain that IESHims.dll is missing.

You can easily confirm the issue by configuring your project to generate an external manifest for your application and see if you have someting like:

version='8.0.50727.4053' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />

In your manifest.
Hopefully, some smart people suggested four solutions:

  • Install the vc_redist.exe to be found in c:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\BootStrapper\Packages\vcredist_x86 on every customer's PC. Not very convenient.
  • Remove the security fix KB971090. This is what we did.
  • Some other people like Ted, proposes a method to force the use of build 762 (the previous version used by Visual Studio 2005) but we could not make this work properly.
  • Finally, it was also suggested to ship this 4053 build as private assemblies. We ran into other isses that are detailed below.

We also noticed that some client PCs running Windows Vista had updated build 3053 (not 4053) and when we tried to ship build 4053 as private assembly, Windows complained that the two assemblies were in conflict (although we were shipping the MFC and CRT as private assemblies). This conflict message was so undocumented that nobody seems to have encountered the situation. So the simplest solution was to remove this security fix.
I am not sure this is sustainable when Windows 7 will start to be around ...