[Looking for Charlie's main web site?]

CFMyths: "When I download CF to install it from scratch, it has the latest fixes/updaters"

Today I'm starting a new series on CFMyths, some common misconceptions that I find myself often helping correct on lists/forums or with my troubleshooting customers.

First myth up for consideration:

True or false: "If/when I download CF to install it from scratch, the installer has all the latest fixes (updaters, at least)"

Answer: False (generally). For instance, if you download CF9 today (Dec 2010), you still get CF 9.0, released originally in Oct 2009. You don't get the latest updater (9.0.1 as of this writing, released July 2010), though its existence is at least mentioned on the page, nor of course does it then include any hotfixes or cumulative hotfixes.

Why not, you may wonder? I'll explain more in a moment, along with more about hotfixes and updaters as concepts (and where to find them specifically, for each CF release).

About this CFMyths Series

First, I want to introduce this new series, CFMyths. Today's entry, though prompted by a question on a mailing list, is in fact a frequent source of confusion for folks. Indeed, it's one that I've covered (along with many like it) in a CFMythbusters talk that I've given at various events. Of course, relatively few see such talks, and even though I offer the details in the slides, available on my site, many never dig into those, either I think, so I've long meant to create some blog entries from them.

Today's question prompted me to go ahead and start that series. (And I know I still owe readers the continuation of a CF911 series on memory problems that I started last month. Part 2 is now written. I just needs to refine it. This topic got my attention, and once I started writing, well, here you go. :-)

"So why is the currently available installer not necessarily 'the very latest version'"?

It's about logistics, really. CF runs on many platforms (OS's, web servers, databases, and different releases of each), so it's expensive for Adobe to create new installers. This is why the base version may be left there for quite a while, with you being expected to apply any subsequent updaters or hotfixes. That will surely surprise many, but it's the way it's been for some time (except 8.0.1, when a completely new installer was offered, in addition to one to update those already on CF 8.)

So it's incumbent upon you, when you download a given release, to pay close attention to what version it is. It will be reflected first in the installer filename, such as coldfusion_9_WWE_win64.exe. It will also be listed with the specific version number as reported in the CF Admin and logs once it's installed (such as 9,0,0,251028 for the base version of 9.0, or 9,0,1,274733 for the base version of 9.0.1). You'll then need to check to see if there may be any updates, hotfixes, or cumulative hotfixes. The same is true for 8.0.1, too (whose base build number is 8,0,1,195765). I'll point you to the updaters and hotfixes in a moment.

"What are all these terms? Hotfixes, updaters, CHFs?"

Before proceeding, it may help some readers if I explain the terminology of the various updates for CF that may exist:

  • Hotfixes are individual fixes to specific problems (typically offered as a single jar file, such as hf801-76563.jar, and for which there is usually an individual technote, such as this one for that hotfix, which is a recent fix--Oct 2010--for CF 8.0.1)
  • Cumulative hot fixes (CHFs): when there have been many hotfixes, they will typically be rolled into a cumulative hotfix which includes several(such as the CHF 1 for 9.0.1, which can only be applied to CF 9.0.1, not CF9). There's no fixed number of hotfixes which will trigger Adobe to create a CHF. They are usually deployed also as a single jar, and you are expected to remove any individual hotfixes that are included. Again, the technote for each hotfix will explain these things. As the name implies, they are also cumulative, such that CHF 2 includes all the hotfixes that CHF1 included (with a caveat, discussed below). CHFs do not included new features
  • Updaters: When there have been some number of CHFs, they will often be rolled into an update/updater (like 9.0.1, 8.0.1, 7.0.2, 7.0.1, 6.1). Updaters are always executable installers, and they often do add some minor new functionality to CF.

Adobe has a page that explains more about these terms generically.

Note that when looking at hotfix/CHF filenames(such as hf801-76563.jar), you can tell by its prefix whether it's a hotfix (hf) or CHF and what version it's for (8.0.1, in that example.)

Indeed, that brings up another potential gotcha: be careful about inadvertently applying a hotfix/CHF to the wrong release, or leaving an old HF in that's been obviated by a CHF that includes it. I discuss the potential gotcha of applying the wrong hotfix/CHF for the wrong version in a blog entry, You may have mistakenly applied an 8.0 CHF on a 8.0.1 CF server, and not realize it!

Finally, the Adobe technote page about each hotfix, CHF, or updater will each explain how to apply that particular update. Again, I'll offer links to the key pages for different release updates in a moment. First, there are a couple of other common misconceptions I want to address.

Phew: I bet some readers thought all this should be pretty straightforward, and may be surprised to learn all these details. It's the kind of thing I often find myself helping my customers correct, and again it also often comes up in questions on lists/forums. You might think we've covered all there is, but sadly, there are still some more gotchas.

"At least when I apply an updater, that includes all hotfixes that preceded it, right?"

Well, not necessarily. For instance, when the CF 7 updater 2 (7.0.2) came out, Macromedia decided not to bundle an updated set of JDBC drivers in the updater. It was up to you to download and install those as a manual hotfix. I blogged about that back at the time, in 2006.

Again, the logic was understandable: there were considerable changes introduced by the drivers (licensed from a third party), and forcing it on existing users could have been troublesome. If you wanted the updated drivers, you needed to download (for free, from Adobe) and install them yourself. The installer notes clarified this, so as always, it pays to read the updater documentation carefully. There are often multiple documents for any new updater, including a FAQ, release notes, and more.

"Well, at least with Cumulative Hotfixes, I need apply only the latest, right?"

Again sadly, no, not necessarily. Let's say you're on CF 8.0.1 and never applied any of its 4 CHFs. You may think you can just apply CHF 4 and not bother with anything related to the previous three. Unfortunately, there are often manual steps within any one previous CHFs which you WOULD still need to apply.

In fact, this question (and answer) is important enough that I'll create another entry on that so it's not lost here (where this entry's title will lead some to think it applies only to installing CF from scratch).

"OK, so where do I find these updaters I need to check?"

Fortunately, there's one primary page you can keep an eye on, but technically there are various pages you may want to check, depending on your CF version, to get more or less detail.

First, the main "CF updates" page can be found here. It not only includes updaters and CHFs, it even has them for CF 9, 8, 7, 6, and even 5, as well as CF Builder (and CF Studio!)

For those on CF 9.0.1, it includes the latest CHF1 for CF 9.0.1.

Note that it also lists CHFs for CF 8.0.1, 8.0, and 7.0.2.

As for updaters, it includes those for 9.0.1, 8.0.1, 7.0.2, 7.0.1, 6.1, and so on. (Sadly, there's no HTML anchor within the page for sections like the 9.0.1 updater, so I can't offer a link to that part of the page. But if you're still running CF 9.0, go get it! It includes useful new features.)

As for getting a list of all the individual hotfixes (and CHFs) for any specific releases, there are individual pages for those:

While these list both hotfixes and CHFs, the info on the CHFs should be the same as the main "CF updates" page offered previously. But note that these version-specific update pages may well list new hotfixes that came out after a CHF. Do keep an eye on them.

(You may wish there was a better way to keep up with updates and hotfixes, whether a feed you could follow, or even an automated update mechanism. Sadly, there have been feeds but I'm not aware that is reliably updated by Adobe. And there is no automated update mechanism for CF from Adobe. But there is a free tool and service that solves both those problems, providing an automated update mechanism and constantly updated feed of hotfix notifications. For more information, see Merlin Manager.)

Finally, again, look for another entry to come on the sticky problem of how you can't "just apply the latest CHF" and assume you're good to go on any previous updates for that release. Sadly, it's just not often the case.

First off, thanks for the informative post. I think it provides helpful information and sheds some light on an important topic. Since the word "sadly" was used 5 times within this post I am going to venture a guess that you would agree that the current state of affairs is decidedly sub-optimal.

You mentioned in your post the lack of an automated update mechanism built into the product. I'd wager that 75% of the software on my sever and/or client has the ability to install or at least inform me of the available updates. Not having this obligates me to either "keep watch" or use a third party tool. This forces me into extra steps that I now must take.

I would also take issue with the fact that "it's expensive for Adobe to create new installers" as a justification for never doing it outside of major version releases. I have no insight into Adobe's build or QA process so I can't comment on exactly how inexpensive or expensive it is. I really don't expect a new installer every time a hotfix is created. And I also get that I don't necessarily want all updates that aren't fully backwards compatible. But I don't think it is unreasonable to expect a single installer that will get me to 9.0.1 (which, to me, really completes cf9. The fixes and enhancements addressed some real paint points). Even worse is the situation you described where if I was installing fresh cf8 I could potentially need to sequentially apply 4 CHFs to get current. I don't know exactly where the line should be drawn but it seems to me that it's not in the right place. It shouldn't take this many steps to simply go get the latest and greatest. Of course, If I had a built in update mechanism I could simply install the latest version and let the updater do the rest....

I will say that as developers and sys admins part of our job is to understand and maintain the platform our applications run on. It's our responsibility. But I would also say that Adobe could and should take some small steps to make the process easier for its customers.

Of course, I could be wrong :)
# Posted By Lance Staples | 12/11/10 9:46 PM
I seem to recall that Adobe has a fantastic updater for AIR and Flash, perhaps one day that can share some of that love with the CF Engineers? Just Sayin
# Posted By Tim Cunningham | 12/11/10 9:55 PM
This is easily one of ACF's most embarrassing failures. I can explain away pretty much all of the other rough spots in the platform, but not this one. (The length of this post pretty much says it all.) Keeping a CF installation up to date has been problematic for 15 years. I absolutely don't buy the budget excuse, nor the "you wouldn't want it any other way" reasoning.

It's pretty obvious that this is absolutely not a priority for Adobe, and probably won't be until something devastating like a cross-version CF worm takes hold and won't let go.

The head-in-the-sand approach to updates didn't work out well for Flash - why CF should be any different is beyond me.
# Posted By Rick O | 12/11/10 11:19 PM
Charlie - great idea for a series!

It is odd that Adobe can't address this - especially in this day and age when it seems like everything automatically updates - from simple software to complex operating systems. Merlin Manager looks neat - will have to check that out!
# Posted By Jim Priest | 12/11/10 11:38 PM
Loved this article. I might have missed but I didn't see any mention of security patches. In my experience those are hidden away apart from the updaters and hot fixes. It could be painful to think you were all patched and you you missed a security patch and someone hacks your server.
It would be nice if they at least mentioned the security fixes on the updater pages.
# Posted By Steve Durette | 12/11/10 11:39 PM
Hey guys, thanks for responding. Interesting that all 3 of you have focused on the matter of automated installers. The focus of this entry was more on just the fact the base installer wasn't updated. But clearly I did touch on the other matters, and as it is being discussed by you guys as a pain point, then I guess let's have that discussion.

@Lance, it's also interesting that you noticed my (unfortunate) use of "sadly" 5 times. As a writer, I lament such redundancy, let alone that it was noticed. :-)

As for you guessing from them that I "would agree that the current state of affairs is decidedly sub-optimal", well, technically, I used the word with respect to other issues (how applying subsequent CHFs might require extra manual steps from prior ones; the missing HTML anchor to point to the CHF for 9.0.1; and the lack of a hotfix feed). Still, I suppose the sum of those challenges, plus this entry's subject, could be called sub-optimal.

That said, I understand that there are sometimes reasons for why things are, and I don't tend to hold it against Adobe as strongly as others. (Rick's comment came in as I wrote this, and obviously he feels even more strongly.) When I point things out like this, I'm more just trying to help people than to be taking a dig at Adobe.

As for wishing they had created a 9.0.1 "fresh installer" like they did for CF 8.0.1, sure, I do agree. I can't recall if the 8.0.1 "fresh installer" came out with the 8.0.1 updater, or perhaps came along later. Either way, perhaps Adobe may be persuaded to reconsider on 9.0.1.

As for the need to maybe do manual steps to go from the base to the latest install, well, you've overstated things. I didn't say you'd have to "sequentially apply all 4 CHFs to get current [on cf 8]". I said that there may be manual steps in one or more of the preceding CHFs, which is different. I'll explain more in the next entry.

All that said, I do think that Adobe is well aware of the problem so we can hope that perhaps they will address it in the future. They've been great about addressing a lot of other annoyances in CF over the years.

I wasn't bringing this entry up so much to press Adobe on such things, but just to address the very point Lance said, that "as developers and sys admins part of our job is to understand and maintain the platform our applications run on". I just find that many even concerned and experienced folks seem to have some misunderstandings. That's what I'm hoping to address in this series.

@Rick, as for your comment on Adobe's not creating a new "fresh installer" for 9.0.1, I'm a little confused by your comment, "I absolutely don't buy the budget excuse, nor the 'you wouldn't want it any other way' reasoning." Are you referring to my having offered that "reasoning"? I really don't see how I said that. Do you perhaps have in mind something you heard from Adobe?

As for the update process being "pretty obvious that this is absolutely not a priority for Adobe", again, I hope that's changing, and that it won't take something dire to force their hand.

You bring up the matter of security-related hotfixes, and really that could warrant a whole different discussion, as often CHFs have specifically not included known security fixes at the time. I'll just say, for the benefit of readers trying to wrap their heads around all this, that at least recently Adobe has started to include some security-related fixes in CHFs (the 9.0.1 CHF 1 had some), which is encouraging. There is also a separate security fix list (http://www.adobe.com...) and notification service (http://www.adobe.com...

Thanks, again, to you guys and Tim, Jim, and for your feedback. Of course, I welcome more from you guys or anyone else.
# Posted By Charlie Arehart | 12/11/10 11:43 PM
Doh, Steve, I had written my reply to the others before I noticed your comment. Oh well, fortunately, I did offer mention of the security fixes in that comment. It's a fair point that folks need to know of them, and sometimes in the past had to know of them separate from CHFs. Let's hope that Adobe's recent change of stance in that regard (including them in CHFs recently) is something that will continue.
# Posted By Charlie Arehart | 12/11/10 11:46 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.005. (Want to validate the html in this page?)

Carehart Logo

Managed Hosting Services provided by
Managed Dedicated Hosting