The Nokia Lumia 900 is a good phone. It looks great and comes at a fantastic price: between $0 and $99 on contract or about $450 contract-free. Unfortunately, if you live in the US, you probably shouldn't buy it.

The problem isn't the phone hardware. Although its specifications are not the highest, the phone is reasonable for the price, and in practice it remains fast and fluid for everyday tasks.

Nor is the problem the phone software, at least, not as such. Windows Phone 7.5 is, for the most part, a well constructed, slick operating system. It's not perfect, and there are gaps that I'd like filled (for example, I'd like support for VoIP applications), but it's eminently livable. Nokia's unique applications—Drive, Transit, Maps—are all valuable additions that greatly enrich the platform.

No, the problem is, well, the future. Unlike the dumbphones of yore, smartphones are chock full of complex software; software that has bugs, and software that doesn't necessarily do everything that you might want. But this is OK, because it also gets better. Bugfixes are released, new features are added, APIs are extended to enable more powerful applications, and the phones improve with time.

With a dumbphone, the phone is at its best on day one. With an updatable smartphone, it's at its worst on day one.

The problem is, it's not clear just what the Lumia 900's future really is. This is a problem with two causes: AT&T and Microsoft.

The Premier Partner

Though the Lumia 900 will be coming to European carriers in the next month or so, and should arrive in Canada later this week, it is, right now, only available on AT&T.

AT&T is Microsoft's premier Windows Phone partner in the US. It's the one which has most prominently advertised Windows Phone, it's the one that has offered the most handset models, and it will be heavily promoting the Lumia 900 in-store. Problem is, that's about the extent of AT&T's "premier" commitment. If you want a Windows Phone that's actually well-supported, you're better off with T-Mobile.

Since the release last year of "Mango," Microsoft has published a number of updates to Windows Phone. Some of these are minor—resolving a small problem with Exchange 2003 e-mail for example—but others are more significant.

Windows Phone has an aggravating bug that causes its on-screen keyboard to disappear occasionally when typing. The bug is by no means fatal. Generally, you can make the keyboard re-appear by tapping outside the text box and then tapping back inside the text box to make it pop back up. It doesn't happen consistently, and a few people might never notice it. But it's tremendously annoying.

Microsoft rolled out a fix for the bug in early January. Three months later, the only AT&T customers with the fix are those who got it preinstalled on their phones. Everyone who bought a phone before January still has to endure the problem.

The same software release that fixes the keyboard bug also includes a measure to address a security issue. Malaysian certificate authority DigiCert Sdn Bhd (not related to the American company DigiCert, though that too sells certificates) issued a number of problematic certificates. Among other flaws, these used extremely weak cryptography and could have been used fraudulently. The Microsoft patch blacklists these certificates. But again, AT&T hasn't deigned to release it.

Though the security issue is minor, the keyboard problem is not. Its user impact and annoyance is significant. Timely delivery of this fix is essential to ensure a good user experience. But AT&T doesn't care.

Lumia 900 buyers will at least receive these updates—those handsets include an even newer build of the software, one that includes these fixes and more. But the next bugfixes? That's anybody's guess.

In recent weeks, AT&T's stance has changed a little. From refusing to talk about updates at all the company has started to talk about an update that it will be rolling out in the (indeterminate) near future. This update will be a "Tango" update and will incorporate a small number of new features, such as MMS messages with multiple images and a built-in voice recording app. Because of the cumulative nature of Windows Phone updates, it will also incorporate all the past fixes, including the keyboard fix.

The company won't, however, specify which of its customers will be permitted to install the update.

A policy problem

At its core, the problem is AT&T's policy towards updates. The company insists on "validating" updates prior to authorizing their rollout. This validation takes time and money. As such, AT&T doesn't want to do it very often. The company doesn't want to test minor updates, even if those minor updates solve infuriating glitches like the keyboard bug. The user experience doesn't seem to be AT&T's priority.

Quite what this testing burden should be, or why it's so onerous, remains unclear, and neither Microsoft nor AT&T will be drawn on it. Some things are clear, however: other operators don't face the same burden (T-Mobile, for example, has been good about authorizing updates in a timely manner), and other AT&T handsets don't necessarily undergo the same testing (Apple doesn't wait for AT&T's say-so or validation for the iPhone).

AT&T's testing burden is, at least in theory, legitimately a little higher than that of other companies, due to the larger number of handsets the company has offered. How much difference this makes in practice is unclear: validating the six or seven devices that the company has sold shouldn't really imply six or seven times the workload of validating a single device.

Whatever the cause, the burden is so great that AT&T doesn't want to take the time or money to validate minor bugfixes. Reading between the lines, the company will validate feature updates, including Tango, but any new bugfixes published by Microsoft between these updates—and authorized by other carriers—will be ignored.

The upshot of this is that if any AT&T handset has a problem—incompatibility with an e-mail service, some user interface glitch, excessive battery usage, or, well, anything—users will be stuck with the problem for months. Even if it's a security problem, users will be exposed for months at a time.

Microsoft has told Ars that it does have a limited facility to force out updates. If there's a serious security flaw that's resulting in phones getting compromised, Redmond can roll out the update without carrier approval. The company representative I spoke to was not entirely sure if these security updates would also require updating with the latest non-security fixes. This seems likely.

Unfortunately for current AT&T customers, none of the past security flaws have been deemed sufficiently dangerous to warrant this kind of patch deployment. Severe security issues can't be ruled out in the future, though. In particular, Windows Phone's Web browser, a version of Internet Explorer 9, shares a common codebase with the desktop version of the browser. The desktop browser has received a number of updates to resolve critical security flaws, and these same flaws should, in principle, be a "feature" of the mobile browser too.

Exploiting the flaws will be a challenge, as Windows Phone's security architecture is quite different from that of desktop Windows, with sandboxing and tight restrictions on what code can be executed on the phone. But such obstacles are rarely insurmountable, and a browser-based attack, using known flaws in the desktop browser, is certainly feasible.

Microsoft's role

Ever since Microsoft started talking about Windows Phone, I have been concerned about the carriers' ability to block the distribution of software updates. Microsoft said at the time that it did not expect the carriers to block updates, and that they would generally not require extensive testing. Our own experiences with mobile carriers led us to perhaps cynically believe that Microsoft's viewpoint was naive, and that the carriers would indeed block the distribution of updates. So it has come to pass.

Microsoft insiders acknowledge that AT&T's level of support has not been all that they would have liked. With the exception of serious security fixes, the inability to keep all phones updated in lockstep is precluded by the terms of the agreements that Redmond has with the mobile operators.

The problem is by no means universal. Some carriers have done a fine job of keeping their customers' phones up to date, and customers of these carriers should be reasonably confident that their phones will get reasonable access to updates. But others—with the standouts being AT&T and Spain's Telefonica—have not.

I thought that with the remarkably smooth Mango update, the carriers had got their act together and that Windows Phone's second year would be free of the update delays that plagued its first year. But it turns out that the Mango rollout was the exception, not the rule.

Microsoft's (perhaps well-intentioned) decision to give the carriers the ability to damage the Windows Phone experience with slow updates is not the only problem. Microsoft's own plans for development of the platform are a concern.

I don't know, because Microsoft won't say, what the future holds in store for Windows Phone. Later this year, there will be a release called Windows Phone 8. This will include, among other things, new hardware capabilities, with the company confirming that it will include Near Field Communications (NFC) support. Other features, including multi-core and higher screen resolutions, are also likely. This operating system is widely expected to be based on Windows 8 (unlike the current platform, which is based on Microsoft's Windows CE operating system).

The big question for current users is, will Windows Phone 8 be available for their phones? Microsoft has assured developers that their existing applications will run on Windows Phone 8, but this is only part of the story. While current Windows Phone owners obviously can't take advantage of support for new hardware—their phones don't have it—new APIs and software capabilities are, or at least should be, a different story.

It should be obvious: Microsoft should offer a Windows Phone 8 update to current handsets, so that they're compatible with any new software (except that which demands hardware not present on current phones, obviously), and so that they pick up new user interface and feature improvements.

And yet there are a few signs that this won't happen. I've heard from two independent sources that current handsets won't receive an upgrade to Windows Phone 8. Mary Jo Foley has heard a similar tale, though she speculates that this will be as more to do with carrier bloody-mindedness than any failing from Microsoft.

If these rumors are true, buying a Lumia 900—or any other Windows Phone handset—is a risky proposition. If you buy subsidized, on-contract handsets, you'll typically be eligible for a new subsidized upgrade every two years. A reasonable expectation, then, would be two years of software support in the form of bugfixes and updates. But if current handsets can't run Windows Phone 8, they'll essentially be cut off from future support in about six months. Developers might still target the older handsets to some extent, but many more will be targeting Windows Phone 8's extended capabilities and richer APIs.

Such a move would be enormously hostile to an early adopter who's invested in the platform right now, and if the Lumia 900 takes any serious market share, there will be a lot of new users left behind.

A rod for its own back

It might seem harsh to warn against buying the Lumia 900 on account of poor after-sales updates and upgrades. After all, Android has a similar problem, and it's been very successful. Indeed, Android's problem is even worse; Microsoft has shown with Mango that it is at least possible to produce a widely available Windows Phone update, which is something Google still hasn't pulled off for its operating system. So the situation certainly isn't as bad as it could be.

The problem is Microsoft promised something better: the hardware availability and flexibility of Android, with the robust and universal upgrading of iOS. Apple doesn't let anyone, not even AT&T or Telefonica, stand in the way of its iOS updates. That's the standard to aspire to, and it's the standard Microsoft alluded to. Accordingly, it's the standard the company should be held to: being merely "better than Android" isn't good enough.

Apple's excellent update track record has also created certain expectations. Where there are questions and disconcerting rumors about Microsoft's plans to update phones to Windows Phone 8, there are no corresponding worries about Apple. We can be confident that the iPhone 4S and iPhone 4 will receive an update to iOS 6 (and there's a chance the iPhone 3GS may even do so too), because Apple has proven its ability and desire to update the platform as a whole.

Rather than recognizing the feat that Apple has pulled off and recognizing that Microsoft still has work to do to reach the standard of the market leader, Terry Myerson dismissed Apple's achievement, claiming that new operating systems for Apple's old phones run so slowly that they force iPhone users to buy newer, faster phones. Criticizing Apple for supporting its customers and at least giving them the option to get the latest software—when Microsoft cannot and will not promise the same for its own customers—does little to inspire confidence that Windows Phone users will be as well-treated as iOS users.

The Lumia 900 is a smart, good-looking phone. With its sibling, the Lumia 800, it's one of the few truly striking Windows Phone designs, and the promotion and marketing it's set to receive should drum up considerable interest. I like the Windows Phone platform, and I'm glad that it's getting this kind of phone and this kind of promotion. I want more people to buy into the platform, too, to make it more attractive for application developers.

But I don't think buying a phone should have to be a gamble. I don't think a flagship phone should have such an uncertain future. And I don't think that a device you're stuck with for two years should have the level of support that AT&T offers. Until AT&T and Microsoft give a genuine commitment to support the phone properly for its lifetime, smartphone buyers should look elsewhere.