CFMyths: "If/when I apply Cumulative Hotfixes, I need apply only the latest CHF, right?"
Note: This blog post is from 2010. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.This is the second post in my planned CFMyths series. In the first, I addressed the myth that "When I download CF to install it from scratch, it has the latest fixes/updaters".
Here's the next, related, myth:
True or False: "If/when I apply Cumulative Hotfixes, I need apply only the latest CHF, right?"
For instance, let's say you're currently running CF 9 update 1 or CF 8.0.1 and discover (perhaps due to my last blog entry) that you had never applied any of their associated CHFs. It would seem you should just be able to apply the latest CHF and not bother with anything related to the previous ones, right?
Answer: Well, yes and no.
There may be manual steps in skipped CHFs
Technically, yes, you need only apply the latest CHF in terms of getting whatever hotfixes are included in the chf jar.
The problem is, there are sometimes multiple steps involved in applying a given CHF (especially in CF 7 and 8), or there may be specific hotfixes that are indicated at the end of the CHF technote as requiring a manual step. I'll explain the differences in more detail in a moment.
If you have NOT done those manual steps, you WILL still need to do them, even if you "skip" that CHF in question.
This is definitely the case for CF 8.0.1, which had 4 CHFs, and also for CF 7.0.2, which had 3, and for each release some of the CHFs had manual steps. It's not the case for CF 9 Updater 1 (9.0.1) CHF2 and 1 (this sentence added as an update since this entry was originally posted.)
The table below details which CHFs, specifically, have manual steps. (For CF 8.0, none of the 3 CHFs had any manual steps. I'll explain later here why I can't tell you for CF 7.0.1 or 7.0, and why this isn't an issue for CF 6.1 and 6.0 users because they didn't have CHFs at all to potentially "skip".)
This isn't a mere technicality: it could be critical
Some may think I'm being pedantic in raising this concern, but take my word as a CF troubleshooting consultant: some of these manual steps are very important ones, so it's really unfortunate that some people may be "skipping" them inadvertently. I help people with this very problem at least once a month.
For instance, in 8.0.1 CHF 4, there are both a bootstrap.jr needed, some manual hotfixes, and some related to security fixes. In 8.0.1 CH 3 there are important fixes related to image processing problems (which have plagued many, who are missing this fix).
And perhaps most important, for those running CF 7.0.2, there was a surprisingly critical (yet innocuous looking) manual step in its CHF 2, and this one hotfix may be the explanation for many people suffering inexplicable memory leaks in that release. I'll discuss each of these more in a moment.
What do I mean by "manual steps" in a CHF? How would you tell if they are there?
What I'm talking about here is either of different kinds of manual steps in a given CHF. I'll first explain them, then reflect it more succinctly in a table to follow.
1: A simple, single-step CHF
First, by comparison, note that for most CHFs, applying the update merely involves downloading a zip, extracting a single jar, and using that to apply the update (whether by uploading it in the CF Admin "system information" screen, or by dropping it into the appropriate lib/updates directory, each of which are discussed in the technotes. I'll note that many don't realize they can apply HFs and CHFs merely by dropping their respective jar into the appropriate lib/updates directory: the technotes sometimes only mention this fact in the "uninstalling" section, where they point out that the files to be deleted have been placed there by using the Admin interface.)
2: A multi-step CHF
As a second example, in contrast to the simple one-step CHF above, sometimes the technote for a CHF will have more steps which indicate that you need to manipulate multiple files in one or more extra steps.
As I mentioned above, the CHF4 for 8.0.1 is an example of that. This is the kind that is most disconcerting to me.
3: A CHF with multiple zips
A third example is really a variation of the last one: some CHFs don't have so much "multiple steps" but instead have multiple zip files that need to be extracted.
The CHF1 for CF 9.0.1 is such an example. Note that its steps 6-9 involve updating files in WEB-INF/cftags and CFIDE directories.
In such a case, we just need to hope that any next CHF will offer those same files (and as an update since this entry was first written, CHF2 DOES include the same--though perhaps updated--files in its zips).
Unfortunately, the technote for CHF2 doesn't make this entirely clear, but I compared the extracted zips to confirm it.
4: A CHF with separately applied individual hotfixes
Finally, in some CHFs, there may still be only one chf jar file, but after the simple list of steps for applying that, the technote may then also list additional individual hotfixes which still need to be applied, separately from the hotfix.
These may be listed either at the top or bottom of the CHF technote (though usually, they are listed at the bottom). There are several CHFs of this sort, and again I will detail them for you later here. But first, let me stress an important example of this.
A Critical example from CF 7.0.2
A critical (and sadly, oft-missed) example of this is the 7.0.2 CHF 2. At the bottom of that page are listed several such "manual" hotfixes, and among those is one extremely important one. Unfortunately, the wording on the page doesn't make it sound very worrisome (and frankly, seems incorrect from my experience). In testing I did at the time, this was a hotfix which when implemented would stop a bug where CF would hold memory from a file upload until CF was restarted--a true memory leak. Adobe did fix the problem in CF 8, and said so, which is how some of us became aware of it.
But even if you DID read the CHF technote, you may not sense the severity. The link to the hotfix labels it as "Update for cffile memory leak", and the text preceding that says, "This hot fix is for a potential memory leak caused by cancelling cfuploads in progress with ColdFusion MX 7." In my testing, though, it really had nothing to do with "cancelling cfuploads". It was any file upload (where you had an input type="file" in a form that was used to post a file) to a CF page, whether you cancelled it or not!
Further, if you go on to read the page about the hotfix itself, its own title might lead some to think it applies even less to them, "Hot fix to make ColdFusion release memory properly with file uploads and CFC's stored in application, session or server scope". Is this meant to be read that the file upload has to happen in a CFC stored in a shared scope? If you thought so, again, you may shrug it off as a seemingly rare situation, but again in my testing back then, it did not matter. Any file upload to a CF page held memory for the size of the file uploaded, until CF was restarted. To make matters worse, the text in the body of the technote says (in my mind, incorrectly), "ColdFusion does not release the memory properly with file uploads when a reference to a CFC is stored in the application, session or server scope in the same page".
Take my advice: ignore all that mumbo-jumbo. If you're still on CF 7.0.2 and you missed that manual hotfix listed in CHF 2, go apply it! It may be the reason you've had CF crashing for running out of heap. (And if you're still on CF 7, then of course you should move up to the free 7.0.2 updater. Again, I discuss and link to updaters in the previous blog entry.)
Again, though, this is just one example (7.0.2). There are similar examples of such similarly-required separate individual hotfixes in some other CHFs for other releases.
When will adobe stop the madness with an automated installer?
This is an update since I wrote the note: I had commented then that, "Until and unless Adobe implements a more automated system for applying updates (and I really don't want to debate that, as it's just not my focus here), then it just "is what it is", that you simply NEED to look at any prior CHFs that you may be trying to "skip" in getting up-to-date."Well, the good news is that as Adobe has been talking about the upcoming new release (currently codenamed "Zeus"), one of the most significant new features is an automated hotfix mechanism. This isn't the place to elaborate on that (since few details have been shared), but I may do another blog entry in the future, if someone else doesn't first. (If you're reading this and know somehow who has, share it in a comment.)
What CHFs in what releases have manual steps?
So, given all the above, which CHFs do you need to worry about, if you are intending to "skip" them? To help make things easier to track, following is a table that identifies each CHF for the most recent releases, and it indicates for each CHF whether it has any manual steps. If it does, then if you are skipping it to move to a later one, you need to be sure to apply those manual steps:
| CF Version | CHF Number | Manual Steps? | Technote | |
|---|---|---|---|---|
| CF9.01 | chf 2 | Maybe. Can be skipped if future CHFs include all files in zips. | technote | |
| CF9.01 | chf 1 | Maybe. Can be skipped if future CHFs include all files in zips. | technote | |
| CF9 | chf 1 | No | technote | |
| CF8.0.1 | chf 4 | Yes, additional steps, and separate individual (security) hotfixes at bottom of page | technote | |
| CF8.0.1 | chf 3 | Yes, separate individual (CFImage and image function) hotfix at top of page | technote | |
| CF8.0.1 | chf 2 | No | technote | |
| CF8.0.1 | chf 1 | No | technote | |
| CF8.0 | chf 3 | No | technote | |
| CF8.0 | chf 2 | No | technote | |
| CF8.0 | chf 1 | No | technote | |
| CF7.0.2 | chf 3 | Yes, separate individual (CFDocument) hotfix at bottom of page | technote | |
| CF7.0.2 | chf 2 | Yes, separate individual hotfixes at bottom of page (including critical one for file upload memory leak) | technote | |
| CF7.0.2 | chf 1 | Yes,separate individual hotfixes at bottom of page (including update for JDBC drivers) | technote | |
So you can see that this problem is most significant (for now) for those on CF 7.0.2 and 8.0.1.
I'm not going to list 7.0 or 7.0.1, because for one thing, the links to the technotes for their CHFs are currently failing for me (as offered from the CF 7 hotfixes page--and this URL has in fact now been updated to point to archive.org because the original no longer exists at Adobe), so I can't look at them to confirm if they have manual steps. It's reasonable to assume they do. Another reason not to list 7.0 and 7.0.1 is that, again, if you're on those releases, you really ought to update to 7.02 (for free), if not to 8 or 9.
You may notice that I don't list CF 6.1 or 6, either. Well, in fact, the whole concept of cumulative hotfixes was added only as of CF 7, so this concern (about trying to "skip" CHFs) just doesn't apply to those running CF 6 or 6.1.
And don't forget to check for any subsequent hotfixes after whatever "latest" CHF you apply
Finally, this entry has focused on what manual steps you may need to do related to previous CHFs you may be trying to "skip". But separate from those, keep in mind as well that there may be one or more individual hotfixes that have come out since any given CHF was released (or you may have applied it).
Part of the challenge is that, since the technote for a given CHF is written when that CHF is released, it obviously does not at that point in time reflect any new hotfixes posted after that. I suppose we could argue that Adobe should warn you (at the bottom of each CHF) to also go check if there are any subsequently released hotfixes.
For now, it's incumbent upon you to keep an eye on the hotfix page for the version you are using. I listed them in the last blog entry, but here they are again:
- "ColdFusion 9 : List of Hot fixes" (for 9.0 and 9.0.1)
- "Hot Fixes | Cold Fusion 8 and 8.0.1"
- "ColdFusion hot fixes (MX 7 through MX 7.02)" (update: link at Adobe no longer works, using archive.org link)
- "ColdFusion Hot Fixes (MX through MX 6.1)" (update: link at Adobe no longer works, using archive.org link)
For example, as of this writing, there are 2 hotfixes listed after (chronologically) the latest CHF for CF 9, CHF 1. There are also 2 hotfixes currently listed after the latest CHF for CF 8.0.1 (CHF 4), there are 4 hotfixes after the latest CHF for CF 8.0 (CHF 3), and there are 2 after the latest CHF for CF 7.0.2 (CHF 3). So again, if you think you're "at the latest CHF", make sure there may not be still more hotfixes that apply to you. For more information, see the corresponding page in the links immediately above, for whatever version of CF you're running.
Finally, with respect to watching out for individual hotfixes within a given release, note that you generally cannot watch only the main "CF Updates" page. That generally lists only installers, updaters, and CHFs. (That said, there is at least one "input sanitization" hotfix shown at the top of the list of CF 8.0.1 CHFs. )
Hope all that's helpful. Let me know what you think.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
One thing I have never found is a reference that tells you what version number one should see once a hotfix has been appied.
<bashes head against a wall>
Anyway, let's let it be at that. I don't want this to turn into a place to debate CF.
I've been using CF since 1998, and the bottom line to me is that I have enjoyed a much better standard of living since that time.
Thank you for posting this. Typically, I try to install the hotfixes as they come out - so I'm afraid I hadn't really thought about this issue too much. It makes sense and I'll try to keep this in mind, going forward. I agree it'd be nice if Adobe makes this more apparent in future CHF KB articles.
And.. I love ACF!! =D
-Aaron Neff
After a couple of server restarts for Windows updates last week, pages that have tabbed layouts will not render. Everything is fine on the page with only the cflayout tag, but when I add the cflayoutarea tag it breaks the page and I end up with a blank page. I do not get any errors on the page, but the logs show an “org/owasp/esapi/errors/EncodingException” error.
I have the same problem on both of my servers. One is a newish ColdFusion 9 install (September 2011) and the other is currently running ColdFusion 9 but is fairly old and originally started out with version 7.
When I installed the new server I was careful to install the updates, CHF's, and hotfixes in order (or so I thought). I installed all the updates and hotfixes up to and including CHF1. The other server hadn’t been updated, so at that time I also installed Update 1 and CHF 1. I have had no issues after applying the updates - until last week.
Over the weekend I installed CHF2 and the Hotfix that was released last week on the newer server, but the problem persists. I’ve been searching and I haven’t found any mention of this particular issue, so I have to assume that I have something set up incorrectly on my servers. It’s also possible that I mucked about with the ext js. I took a look at the file dates and all of the dates are from the same day I installed ColdFusion. In addition, I don’t recall making any changes, but you know how that is sometimes.
Now, I'm second guessing myself and I'm not sure if I got all of the Hotfixes or if I applied everything correctly. Is it safe for me to start over with the hotfixes and CHF’s released after Update 1?
Thanks for your help,
Janey
I mention in the blog entry how there's a real likelihood for most people that they have multiple CFIDE locations. Did you confirm yours, using both the CF Admin mapping and the web server mapping? And did you update that directory? And did you confirm you didn't perhaps extract to the right place but to the wrong lebel?
Look also at the HTML that's generated, and more specifically at the requests that go back to the server (such as for script src tags) to see what they do, where they go, what they get, etc.
Finally, I'll add that I can work with you (or anyone getting such problems) to help resolve such problems, per my independent consulting. More at www.carehart.org/consulting/.
Thanks again, not only for this but also with all the other information you share and for organizing the CF Meetup group.
Janey
Thanks for the update, and the kind regards. :-)