There’s just been another release of Java 6 that is relevant for the security of your ColdFusion or Railo servers (but also for anything and anyone else running a Java-based server or client product).
After having pushed out Update 39 just recently, Oracle has released Java 6 Update 41 (also known as JDK 1.6.0_41) and it has become the new security baseline version for Java 6. You will find a more thorough description of the details and what specifically got fixed in the Critical Patch Update document. It’s important to realise that this patch deals with 5 issues, 4 of which are vulnerabilities when running Java as a client. Most likely those wouldn’t be very relevant for you unless you’re running Java client apps via the browser (as applets) or Java Web Start from your server.
However, the 5th issue being fixed is for a vulnerability in the implementation of TLS, DTLS and SSL and I believe that is an issue you’d not want to have hanging around on your server.
Also keep in mind that Oracle’s support for Java 6 runs out by the end of this month (February 2013). That means you most likely won’t get any patches and improvements for Java 6 unless you sign up for a commercial support arrangement with Oracle. Also note that last year Adobe have announced that they will provide an official go-ahead to use Java 7 via a patch for customers of ColdFusion 9 and 10 before Java 6 get’s EOL’ed.
One might argue that under those circumstances it might be the better option to just wait for Adobe to move and jump from whatever version of Java 6 you’re on to Java 7 right away (to stay within a supported line of technology from a JVM point of view).
When it comes to Railo 4, I don’t see a particular show stopper if you want to use Java 7 right away. It might be worthwhile to double check on the Railo mailing list though before you throw it on a production server