Tuesday 5 March 2013

Wait for the dust to settle before installing the recent ColdFusion patches

Hopefully you're aware that Adobe recently released a patch for ColdFusion versions 9.x and 10.x so that they will now run on Java 7. I had a small whine about the poor timing of this release the other day.

After some discussion I was a peripheral participant in today, my advice is perhaps to not bother installing it yet.

David Epler made a comment on that article I link to above today, noticing some fishiness with some of the patch files:
[Were] CFIDE9.zip, CFIDE-901.zip, and CFIDE-902.zip of the respective CHFs updated? The hashes I have for the files from Feb 27 are now different and appear to have been updated on March 1st?

Seems like CFIDE/scripts/ajax/package/cfmap.js was updated on 02-28-13 19:51.
Basically David noticed that those patch files seem to have changed since they were initially released. So if I patched my dev servers on Feb 27, then patched my production servers today, I'd actually be applying a different patch to prod from the one I might have tested on dev. Obviously that's just not on. Once a patch is released: it's released. If one needs to patch further, then that's another patch, you don't update an already released one. This is "Release Process 101" stuff. You can't update an existing patch for the reason I pointed out: people won't know what they're installing and testing, and it just bloody wastes people's time, and could possibly cause them issues. Like I said: it's not on.

I'll not regurgitate the rest of the discussion (which also spilled over onto Twitter) - you can read it via the linked article - but if I'm completely honest I still don't know what the hell Adobe is playing at here. From what I can gather I think they updated the download files by accident? Rakshith doesn't really give a very clear explanation (or perhaps I mean "a straight answer", if I am to be less charitable), other than to say even more patched files will be coming along soon. This is good, I guess, as they've found a few bugs in last week's release (and, hey, it's really good they're fixing them).

I doubt there's a major issue with the difference between the old files and the new files, but this whole performance and Adobe's reaction to it really does leave me questioning whether Adobe need to look a bit more closely at how they approach their patching and release process, as they... well... I'm sorry to say it just doesn't seem very "enterprise".

I pointed one of my associates - who is responsible for a large enterprise ColdFusion installation (hundreds of CF instances) - to all this, and the impression I got was that he didn't know whether to laugh or cry. And, to be honest, he's not the only person I've spoken to today about this who has had a similar reaction. Adobe is losing credibility as to whether they can actually deliver an enterprise service, in my opinion. But they are still expecting us to pay for one.

Hopefully Adobe can look at some of their internal processes, give consideration to how they are communicating issues, and they can have a good few months of smooth sailing, whilst still giving us updates to the still-current versions of ColdFusion (9-10.x) as the need arises.

I do urge you to subscribe to that blog article of theirs though, and keep track of what's going on. If I hear more, I'll update this article too.