[Looking for Charlie's main web site?]

You may have mistakenly applied an 8.0 CHF on a 8.0.1 CF server, and not realize it!

Note: This blog post is from 2009. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I just helped a customer today solve a problem where he swore he had applied the latest Cumulative Hotfix (CHF) for CF 8.0.1, but I showed him that instead he had mistakenly applied the CHF for 8.0. I know how it happened, and showed him. I hope how you can avoid the same mistake.

Update: David Collie of Adobe has informed us (via comments below) that he has now fixed the two pages with the problems reported here. We thank him so much! Even so, the rest of the information still stands, since some may have suffered the problem of getting the wrong hotfixes while the problem was in place, or even despite his changes, so I'll leave this entry as is to help them.

The problem: you may have applied CHFs for 8.0 by mistake

When checking to confirm if an 8.0.1 server has applied the CF 8.0.1 cumulative hotfixes, make sure that the file in the [cf_root]/lib/updates directory has a jar file name with "801" in its name, like chf8010003.jar. The problem is that it could easily, mistakenly be an 8.0 CHF instead, such as chf8000003.jar (note the "800" reference).

How could that happen? More in a moment. But the problem is that CF wouldn't complain about this (while applying the fix in the CF Admin or if you just dropped it into the lib/updates and restarted CF.) It would just be ignored, and the CHF would not do anything--and you would NOT get the updates you expected in the 8.0.1 CHF.

The root cause of the mistake

So how does this happen? I know at least one source of the confusion. I've complained over and over about this: there's an updates page at the Adobe site which starts out offering a link to the 8.0.1 update (itself). There are no CHFs for it. Rather, the problem is that right after its shown, the page lists the 8.0.0 CHFs! See the screenshot below.

The problem is simply that no one has gone back and updates this page to put the links to the 8.0.1 CHFs. They're just not there.

So many people may easily miss that those are in fact the CHFs for 8.0, not 8.0.1. Worse, since there 3 of them (just as some may know there are 3 for 8.0.1, currently), it's even easier for someone to make this mistake and think they're getting the 8.0.1 CHFs.

Again, since applying them gives no error, I would bet that many are in this situation and don't even realize it (and are not getting the benefits of the hotfixes.) So follow those instructions above and check to ensure that you really do have a jar with 801 in the name (in either [ColdFusion8]\lib\updates in Server mode, or in [JRun4]\servers\[instancename]\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\updates in Multiserver mode. Note that the "." in cfusion.ear and cfusion.war is instead cfusion-ear and cfusion-war, for the cfusion instance only.)

Is the customer to blame for being careless?

Some may sneer that those who make this mistake "get what they deserve", and that it's about "thinning the herd", if people are "so careless". Sorry, I don't agree.

This is a very easy mistake to make, especially for folks who by and large don't spend their days doing this sort of stuff, who might easily assume that what followed the 8.0.1 update on that page was its hotfixes.

And since this "updates" page I pointed to is what's offered on the right of the CF product page, it's just all the more easy to be found--and unfortunate that this problem has been allowed to linger.

So where does one find the 8.0.1 CHFs? and CFH 3?

I wish I could point you to one page that lists links all the the 8.0.1 CHFs, but sadly, that's still another point of annoyance. Some will know that there is this page, ColdFusion Hot Fixes (ColdFusion 8 and later).

But guess what, even IT does not have the CHF 3 listed! :-(

Please, Adobe, fix these things.

You can find CHF 3 for CF 8.01 here.

Anyway, do bookmark that updates page. We can only hope that in the future it will be the place to keep an eye on the latest CHFs for each release of CF going forward.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Thanks for that, its a doozy. The CF hot fix management definitely needs fixing.

I've also suggested to Adobe they improve the whole hot fix installation process. I recently applied 5 hot fixes across nearly 40 instances of CF, which took me the best part of a day to do manually. I dont get why the CF Administrator hasn't got a "check for updates" page which let you select the fixes to install for your CF version.

Even most of the shareware on my pc at home does this. Its simply not acceptable on an enterprise server application like CF.

# Posted By John Edwards | 9/23/09 9:25 PM
That was one of the reasons I went ahead the other day and created some RSS feeds for the CF updates and security patches. I blogged about it at - http://www.codfusion...
# Posted By John Mason | 9/23/09 9:26 PM
As Charlie says this is an easy mistake to make so don't dismiss it. Even I have made this mistake and mistaken thought there was a cf8.0.1 CHF when there wasn't, it was in fact for cf8.0
Adobe's way of dealing with updates is quite poor and not very informative, it is also imposisble to tell what updates you installed without physically checking jar files, and this wont tell you about any other type sof update.
# Posted By Russ | 9/24/09 6:03 AM
i've felt this pain also. it's incredibly confusing looking at adobe's page to figure out what to apply and to which version. i personally don't understand why they just don't have two separate pages, one for 8.0 and one for 8.0.1.

the other thing that's really frustrating is that most of the time you have to look around the blogsphere in order to find out that a new hotfix was released since adobe doesn't announce it. just google around and look for posting about the release of hotfix 2 and 3 for 8.0.1 and you'll see what i mean.

i haven't a clue about who's in charge at abode about dispersing this information to the community and keeping it up to date. in any case someone isn't doing their job.
# Posted By tony petruzzi | 9/24/09 8:09 AM
Can I just say that the security update page is also incredibly confusing? They go through all the trouble to explain each problem and then offer the solution with a download, but then in a small sentence in the instructions of one of them they say if you installed the fix for one then you don't need to install the others... What?

If it's a security update don't you want to upload them all anyway? Why go through all the trouble of offering a solution to one problem and the a separate solution for another if the solutions are exactly the same??
# Posted By Doug | 9/24/09 9:26 AM
Another question (which I know you probably can't answer anyway) is why offer CH fixes for 8.0 anyway?? Shouldn't everyone update to 8.0.1?
# Posted By Doug | 9/24/09 9:29 AM

# Posted By tony petruzzi | 9/24/09 9:42 AM
All fair points, folks. Thanks for the additional comments. I'll offer some thoughts on a few of them.

@John, as for why Adobe doesn't build a feature into to auto check for updates, the argument I've heard is that "many CF sites are on servers set to block communication outbound from the server". OK, so those people couldn't benefit from the feature. Another is that some folks are hypersensitive to a machine in their environment making calls out (even if they don't block them). OK, so such a feature could be made so it could be disabled by them, or even disabled by default. Just seems a shame to throw the baby out with the bathwater, with these two issues.

@Doug, as for why the updates page still offers 8.0 CHFs, that's a reasonable question. But considering that the document even has 7 CHFs, it seems simply to be a document that's been added to over time--just mysteriously not since the 8.0.1 CHFs came out, which seems the only mistake.

I could see some who were on 8 early on (and maybe still are) being a little reluctant to do a wholesale reinstall (which would be required to move from 8 to 8.0.1), whereas applying CHFs is easy. Still, now a couple years on, it certainly seems that the benefits of moving to 8.0.1--and it's 3 CHFs--would outweigh the pain of doing the upgrade from 8 to 8.0.1, especially since it's free. (I'm glad to see the 7.02 CHFs still there, as many sites have still not yet paid to upgrade 7 to 8.)

Of course, with the release of 9, CF 7 will be no longer supported, but I see the page even still points to a page for 6 CHFs. Really, it seems that the solution here on this page would be for each release to have a link to the installer, and then to a page with info on the CHFs. But as I noted in my final section, there IS in fact a page that lists 8.0.1 CHFs, but it also has not been updated to list the CHF3, which goes to @Tony's point.

In that regard, thanks very much @John for stepping up to offer the RSS feed. Of course, many will argue that Adobe should be doing it, but until they do, it's certainly better than nothing. (I've raised concerns about the problems with the Adobe technote and hotfix feeds before, http://www.carehart....)

I do agree with all who say that the update process can and should be improved. I didn't address that in this entry, as it seemed to go without saying. :-) But if this has served as another chance for folks to try to communicate their dismay about it, fair enough.

I don't know if anyone from Adobe will see this, or if they would respond here. My main goal was really just to get the word to people to be very careful about ensuring that they really had applied an 8.0.1 CHF if that was their intention. Thanks for your support in validating that concern, and indeed, please spread the word. I think it may be a problem for many others.
# Posted By Charlie Arehart | 9/24/09 9:50 AM
Well the Merlin Manager has a updater feature to help people keep track of these things and it's running off those Feedburner feeds. I may take a little more time and do an open source app that has the same updater logic that some can place in as a CFAdmin extension. I agree it seems a silly not to have this feature in the CFAdmin.
# Posted By John Mason | 9/24/09 2:16 PM
Charlie, I have updated the "ColdFusion Hot Fixes (ColdFusion 8 and later)" KB article page and included the details for CHF3 for CF8.0.1, it should be published soon.

With regards to the "Updates" page, will try and get a change for that page as soon as possible. Thanks for the feedback.
# Posted By David Collie | 9/25/09 11:13 AM
Just following up on this a bit more, I just posted a new open source project called http://cfUpdater.ria... which is simply the stripped out part of Merlin that handles the CF Updates and Patches. Just a lighter version of getting the job done.
# Posted By John Mason | 9/29/09 6:31 PM
The "Updates" page has now been changed to carry only the CF8.0.1 CHFs, along with the download for the CF 8.0.1 updater.
# Posted By David Collie | 10/7/09 5:20 AM
Thanks so much, David, for attending to this matter. I had seen your note from a couple weeks ago, about your first fixing the hot fix page. Meant to say thanks then. Now that both are addressed, I hope it will help avoid confusion. Still, I'll leave the entry here, because surely some may have suffered the confusion while things were not quite correct for so long. I will update the entry right up front to clarify that it's been addressed and point to these comments. I've got a couple other observations of things on the site where pages have not been updated as expected for CF9. If you're interested, drop me a note at charlie at carehart.org.

And John, thanks for sharing the news of your CFUpdater tool, another nice solution.
# Posted By Charlie Arehart | 10/7/09 11:23 AM
Thanks for this very helpful article. The correct updates folder can surely be a challenge to find, especially for multi-site installs.

I found mine at d:\JRun4\servers\{CF_Instance_name}\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\updates.

Once found, however, it appears there is an easy way to reverse hotfixes by stopping the CF instance and then removing the .jar file from the folder. Of course there is still the issue of restoring the correct /cfide folder (you did back this up before you started your hotfixing, right?).
# Posted By Frank Newman | 6/18/12 9:17 AM
Hi Frank, yes, that is all so. BTW, as for finding the dir within a multiserver deployment (or as you refer to it "multi-site"), I'll just note that I did address that in the body of the blog entry. At least, I pointed out how deep the dir is within an instance.

But I referred to it as [JRun4]\servers\[instancename]\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\updates, when technically, only the cfusion instance uses dashes, and all the others use . (like cfusion.war). Thankfully CF10 will stop that madness. :-)

Anyway, I tweaked my reference to list both (in case you had searched for cfusion.war and not found it in the text above).
# Posted By Charlie Arehart | 6/18/12 11:03 AM
Copyright ©2020 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting