For what it's worth..... I worked in a very security aware environment for a while. All CF security patches were implemented in development for a 2 week testing period within 7-30 days of release from Adobe AND all JVM editions were updated in that time period as well if there was a security alert associated with the release (which was nearly every release). If there were no issues in dev, the patches were moved to QA for a week or so and then prod during the next maintenance window. A major security breach could shorten that timeline to days - and even hours if a breach on a server is discovered. On occasion a patch was skipped or delayed due to coding issues, but it wasn't often. It is important to have a test cycle in place because you never know when the next major security hole will be found.
As for 9.01 vs. 9.02 - if you use Verity search functionality, you will need to stay with 9.01 as it is not available in the 9.02 release. On Fri, Apr 12, 2013 at 8:34 AM, Steven <[email protected]> wrote: > All, > while we're on the subject of patching & upgrades.. > last night I patched our *9.01* box with the latest hotfix4 from > http://helpx.adobe.com/coldfusion/kb/hot-fixes-coldfusion-9.html > and I followed the steps there. > > But I'm still fuzzy on a couple things.. > > I didn't want to go through the hassle of doing a complete > uninstall/reinstall to get the box over to the 9.02 series. Am I still in > danger of having security holes that aren't addressed by the 9.01 series > hotfixes? > > And, also within this hotfix4 I applied -- an "optional" step is to > upgrade the jvm by getting the latest jdk from oracle, modifying the > jvm.config to call the new, etc. I elected not to touch the jvm and we are > still using native (out of the box ver). Am I again in danger of new > security issues? (I have another Adobe rant. They mention in this step to > use only the JDKs which are compatible with cf9 -- but don't bother within > the instructions to tell you which are compatible!). > > How did you guys approach your cf9 patching? > Happy Friday. > > Thx, > Steve > *armed with coffee* > > > -- Dawn
