[Looking for Charlie's main web site?]

How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier)

I often see people struggling with confusion over what hotfixes have been applied to CF. They may wonder "which have we applied?", or worse, they may not have applied any and just don't know "how to know" whether they have. I have good news, but it may not be the answer most would suspect.

The common answer offered is that one should use the "system info" page in the CF Admin, and its available "update level" field.

But I will assert that's not the "right answer" after all, or certainly not the "best answer" to really know what hotfixes (plural) have been applied. Know why? If not, I'll explain here, and I'll show what I would say is the "right" answer to "what hotfixes have you applied?"

Not quite the "right answer": look at the "System Info" page

So, again, perhaps the most common answer to that question would be that you can just look in the CF Admin "system information" page (the "i" icon in the top right of the CF Admin). That page offers a lot of info about the CF configuration, but at the top is a set of lines starting with a "System Information" heading.

After the CF and OS version info, you will see an "Update Level" line if you have applied any hotfixes. For instance, you may see it show a value of:

Update Level: /C:/ColdFusion9/lib/updates/chf9010002.jar/

But note I've hedged my wording. First, you won't see that line if no updates have been applied.

Second, and most important, did you know that that only ever shows ONE hotfix, even if you have applied more? And there's no order at all to which is shown (if you have more than one). It's totally random.

Now, one may say "ok, but at least if we have just one applied, this confirms that". Sure, but again, it doesn't answer the real original question, "which hotfixes have we applied?"

The more accurate answer: look in the "updates" directory

Instead, the more accurate way to confirm what (if any) updates you have applied is to look in the actual directory where the key files ("jar" files) for such hotfixes (individual, cumulative, and security) hotfixes are placed.

In a Standard or Enterprise Server deployment (for CF 6-9), that location would be [coldfusion]\lib\updates. In a multiserver deployment, it would be deep inside the instance, such as [JRun]\servers\[instancename]\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\updates.

This is the directory in which such jar files are placed if you follow the instructions for the technote for most hofixes, which tell you to point use the "system information" page and its available "update file" input file upload field at the top of the page. (What the technotes don't tell you is that you can also just drop the jars into the directory yourself, but be careful to do it in the right place, and to do the jar and not the whole zip.)

Note that cumulative hotfix file names would start with CHF, then the version number and the CHF number, as in chf8010001.jar. With the other two kinds of hotfixes, they both start with hf and the version number, then for security hotfixes the next number is incrementing for each security hotfix, as in hf801-00001.jar, whereas for individual hotfixes the next number is kind of random and is the hotfix's is, like hf801-76563.jar. Don't confuse chf8010001.jar with hf801-00001.jar. They are very close in name, but very different.

Still note quite the "complete answer" to the question

It's worth noting a gotcha with either of the approaches above: they only tell you what hotfix "jars" have been applied. They do NOT tell you what, if any, other "steps" of a hotfix technote you have or have not been applied. This can include updates to the CFIDE directory, or any of several other lib directories, and so on.

For those, you really have no choice but to track such things manually, and you'd need to manually compare your updates to what the technote zips might have to offer for the updates they offer. Of course, once you have applied more than one, that becomes a really tedious process to try to track.

(Speaking of which: getting these updates installed right is a frequent source of separate challenges, which I have blogged about previously as, "CF911: Are you finding CF (or CF Admin) busted after applying a hotfix? A few possible reasons".)

Consider the "Unofficial Updater" and "cfUpdater" tools

If "keeping track of all this" is an annoyance, you should know that there are a couple of solutions you may want to consider.

First up, for those on CF 8 or 9, check out David Epler's Unofficial Updater 2, an open source project on Riaforge. You can keep track of news about it on his blog, in the category for it.

Still another tool is John Mason's cfUpdater. While UU2 actually offers you a "pre-built, updated" implementation of CF, cfUpdater leaves the task to you but helps keep you notified and helps manage the update process.

Again, they don't really answer the original question above ("what updates have been applied") but they each in their own way try to help ease the whole update process.

CF10 will certainly make things easier

Finally, of course, for those on CF10 (or who may eventually update to it) there is its new auto hotfix mechanism (the "Server Updates" page of the CF Admin). Specific to the point of this blog entry, it does offer an available "Installed Updates" tab that would show what has been applied.

But beyond that, the tool eases many challenges of applying hotfixes, in a single step (including to multiple instances). And it does handle/track ALL the steps in an update, not just the JAR files. Finally, the auto hotfix mechanism also keeps you notified about hotfixes as they become available.

It will also handle not just hotfixes (and cumulative hotfixes) but also JVM updates and Tomcat updates. (And before someone asks, I'll say that yes, Adobe has announced in various venues that they ARE aware of and are working to offer an update in CF10 to Java 7 and also a more updated version of Tomcat. No more word on that, yet.)

For more on the "Server updates" feature, see the page on it in the CF Admin and Config manual, as well as a blog entry on it from a member of the CF team, from a few months ago (when CF10 was still in beta.)

Still need more help?

Hope all that's helpful. Let me know by comments below what you think or if you have any follow-up questions.

And if I can ever help you with solving CF server troubleshooting problems, whether about hotfixes or anything related to CF, that's what I do for a living, as an independent consultant. I can work with you remotely, on-demand, without you needing to "give me remote access" to your machine. For more on my approach, rates, references, and indeed my satisfaction guarantee, see my consulting page.

Good info, Charlie. Hope all is well. Mike G :-)
# Posted By Mike Givens | 6/18/12 4:05 PM
There's also http://hackmycf.com/... which (with the optional on-server add on) will give you a scheduled report of exactly what is installed...
# Posted By Tom Chiverton | 6/19/12 4:31 AM
We appreciate you such extraordinary blog information
# Posted By Email Marketing Services | 8/22/12 8:57 AM
Thanks for that.
# Posted By Charlie Arehart | 8/24/12 3:05 PM
Thank you this was very helpfull.
# Posted By Alina G | 3/27/15 3:50 PM
Alina, thanks so much.
# Posted By Charlie Arehart | 3/27/15 4:56 PM
In case folks find this blog entry (from 2012) later, it's probably a good idea to point out that if you may wonder, "so where can I even find the hotfixes and security updates for CF9?", the best place is Gavin Pickin's "CF Repo". I discuss it further, and offer the link to it, here:

# Posted By Charlie Arehart | 5/8/15 9:22 AM
And yet another comment I should add, to update this post from 2012, is that if you ARE on CF 9.0 or 9.0.1, and have NOT previously applied any updates, and you DO choose to update it to the latest update/patch/cumulative hotfix level, do beware that you will be getting some security updates from 2011 and 2012 that you did not have, and which COULD cause some compatibility isues. (CF 9.0.2 DOES already include those specific security hotfixes.)

I have a blog post I did in 2013 that addresses that more:

# Posted By charlie arehart | 8/31/15 9:38 AM
long time fan of your site.
we lost our unix guy a while ago and now I have to figure out how to do these updates on cf9 linux multiserver setup where I barely know how to do a 'dir' (ls) command :)
what if there is no 'updates' folder created? (at [JRun]\servers\[instancename]\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\updates. )
[the reason is the java applet in admin console doesn't work in firefox, and in IE updated to latest java just hangs so it never allows for the directory structure to populate in order to browse for the jar file]

which leaves me to do a manual install. then
how do I manually install the jar file?
I do see version 9,0,0,251028 and update level    /apps/jrun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/updates/chf9000003.jar but i manually copied it somewhere but i doubt it is actually installed...

I'm going to try to follow your other post cf9_and_earlier_hotfix_guide.

# Posted By Ed Cheng | 7/26/17 12:31 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.005. (Want to validate the html in this page?)

Carehart Logo

Managed Hosting Services provided by
Managed Dedicated Hosting