The CF2021 Update 9 notice ( https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-9.html ) says "Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin."
But APSB23-47 ( https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html ) says "Note:
Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. Check the ColdFusion support matrix below for your supported JDK version." and "Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. "
Historically, I've downloaded the latest version of Java11 and used that to run ColdFusion (eg: my jvm.config:java.home=/my/downloaded/java). But noticed the blurb in the Update9 notice about "Ensure that the JRE bundled with ColdFusion ...this must be at, <cf_root>/jre/bin." so I was confused.
Do I run ColdFusion using /my/downloaded/java but I apply the patch still using the old <cf_root>/jre/bin/java ? Or is this merely a doc error (I think it is) and I should use the same Java to patch with as I use to run ColdFusion. So if I run CF using /my/downloaded/java then I should patch using /my/downloaded/java too (which I think would make more sense.)
Merely doc sloppiness. Your plan is fine. A different way they could word it is that if using Java to run the updater manually, one should NOT use a Java version OTHER than what your cf version supports.
And separately, the version that Cf uses should be the latest update of that Java version.