Ant script to update ColdFusion 8.0.1 or 9.0.1 with all published patches
Switch branches/tags
Nothing to show
Pull request Compare This branch is 23 commits behind AboutWebLLC:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Unofficial Updater 2


Unofficial Updater 2 (UU2) is an outgrowth of the frustration that came from trying to manually patch Adobe ColdFusion 8.0.1 with the numerous hot fixes and security bulletins that have been published. It is a tool to provide an easy way of consistently applying applicable hot fixes and security bulletins to Adobe ColdFusion 8.0.1 or 9.0.1.


  1. Use of Unofficial Updater 2 is at your own risk
  2. Unofficial Updater 2 is not endorsed by or have any ties to Adobe
  3. ColdFusion Server/process should not be running when you use Unofficial Updater 2
  4. Unofficial Updater 2 can only be run against Adobe ColdFusion 8.0.1 or 9.0.1
  1. Unofficial Updater 2 is updated whenever Adobe releases a new (or changes) a hot fix or security bulletin
  1. Unofficial Updater 2 will need to be downloaded and run again when it is updated to apply all new (or changed) hot fix or security bulletin from Adobe

What it does

First time you run Unofficial Updater 2, it will download ALL hotfixes and security bulletins from Adobe for both ColdFusion 8.0.1 and 9.0.1. UU2 will create Unofficial-Updater2-with-downloads.jar which contains the downloaded hotfixes and security bulletins. This is done since UU2 can not directly package the updates and will make it easier to patch additional servers without the need of an Internet connection.

Once the downloading is complete, UU2 will asks specific questions about how Adobe ColdFusion is installed. It will then produce backups of any directories it will modify. Finally, it will apply the hotfixes and security bulletins according to the published instructions.

UU2 only updates files, it does not modify any settings in ColdFusion such as neo-*.xml or jvm.config.

A list of files that Unofficial Updater 2 updates as compared to a clean install of Adobe ColdFusion 8.0.1 or 9.0.1 are listed below:

If you have modified files in CFIDE and/or WEB-INF they could be changed due to files contained in the updates from Adobe.

How to use

  1. Download the packaged JAR installer
  2. Stop the ColdFusion Server/process you are going to update
  3. Depending upon your system you might be able to double-click Unofficial-Updater2.jar to run it, otherwise it will need to be run from command line
  • GUI Installer
    • java -jar Unofficial-Updater2.jar
  • Text Installer
    • java -jar Unofficial-Updater2.jar text
  • Text Installer run as cfusion user on Linux/UNIX
    • su -s /bin/sh "cfusion" -c "java -jar Unofficial-Updater2.jar text"
  • Once Unofficial-Updater2-with-downloads.jar is created, you can use that instead of Unofficial-Updater2.jar
  1. Walk through the screens putting the appropriate information
  • Be sure to fill the directory locations correctly, Unofficial Updater 2 will try to validate they are correct before letting you proceed to the next step
  1. Finish updater by pressing Apply Updates
  2. On OS X/Linux/UNIX verify (and possibly correct) ownership and permission of the files updated

Please see the Wiki: Using Updater 2 for screenshots and walkthrough.


Backups are made of the directories that are modified. The backups are stored in the directory specified when running UU2 and are named {directory-name}-uu2-{datetime-stamp}.zip

Please see Wiki: Restore ACF from UU2 backups for details.


At the core, Unofficial Updater 2 is just an Apache Ant script. Ant was chosen since it could provide cross platform support. The ant script was wrapped with Ant Installer to create a GUI and text based interface which only require Java 1.5+ to be installed.

ColdFusion 8.0.1

All hot fixes and security bulletins published as of March 29, 2012 for ColdFusion 8.0.1 are applied except if they were superseded by a newer patch and the following:

Both kb404026 and CVE-2009-1876 require modifications to be done to the system configuration. kb404026 requires ability to modify the Windows registry and CVE-2009-1876 will modify the connector configuration. kb403750 is not installed since it does not seem to resolve all the issues and breaks other things.

ColdFusion 9.0.1

All hot fixes and security bulletins published as of March 29, 2012 for ColdFusion 9.0.1 are applied except if they were superseded by a newer patch.

Additional Notes

Please refer to the various technotes about changes to configuration options since Unofficial Updater 2 only updates files, it does not modify any settings in ColdFusion such as neo-*.xml or jvm.config.

Also it is highly recommended to update the underlying JVM that ColdFusion uses to 1.6.0 Update 24