Last updated: January 12th, 2021
SQL Server 2016 was originally released on June 1st, 2016. It is the last major version of SQL Server to provide servicing explicitly through Service Packs (2017 & 2019 both only have GDR & Cumulative Update branches).
I highly recommend being on Service Pack 2, as the Service Pack 1 and RTM branches have been retired (meaning they will receive no further updates outside of critical security patches). To see why you want to be on at least Service Pack 1, read this post and this post.
You can always download the latest CU for the SP2 branch here; see the table below for the latest updates for the other branches.
| Service Pack 2 | ||||
| Label | Build # | Date | Fixes (Public) | |
|---|---|---|---|---|
| Security Update for CU #15 CVE-2021-1636 |
13.0.5865.1 | 2021-01-12 | 1 | |
This security update addresses an escalation of privilege vulnerability described in CVE-2021-1636. It is also being pushed via Windows Update, so you may get this sooner than you expect it. |
||||
| Cumulative Update #15 | 13.0.5850.14 | 2020-09-28 | 21 (20) | |
| Cumulative Update #14 | 13.0.5830.85 | 2020-08-06 | 18 (16) | |
| Cumulative Update #13 | 13.0.5820.21 | 2020-05-28 | 29 (26) | |
| Cumulative Update #12 | 13.0.5698.0 | 2020-02-25 | 39 (33) | |
| Security Update (CVE-2020-0618) |
13.0.5622.0 | 2020-02-11 | 1 | |
| Fixes a remote code execution vulnerability in Reporting Services. | ||||
| Cumulative Update #11 | 13.0.5598.27 | 2019-12-09 | 29 (26) | |
| Cumulative Update #10 | 13.0.5492.2 | 2019-10-08 | 21 (21) | |
| Cumulative Update #9 | 13.0.5479.0 | 2019-09-30 | 21 (21) | |
| CU #9 was quickly replaced – please move to a later CU. | ||||
| Cumulative Update #8 | 13.0.5426.0 | 2019-07-31 | 33 (28) | |
| Cumulative Update #7 On-Demand Package #2 |
13.0.5382.0 | 2019-07-09 | 1 | |
| Security Update (CVE-2019-1068) |
13.0.5366.0 | 2019-07-09 | 1 | |
| Cumulative Update #7 On-Demand Package #1 |
13.0.5343.1 | 2019-06-24 | 2 | |
| Cumulative Update #7 | 13.0.5337.0 | 2019-05-22 | 28 (27) | |
| Cumulative Update #6 | 13.0.5292.0 | 2019-03-19 | 29 (24) | |
| On-Demand Hotfix for SP2 CU #5 KB #4490133 |
13.0.5270.0 | 2019-02-20 | 1 | |
| Cumulative Update #5 | 13.0.5264.1 | 2019-01-23 | 52 (43) | |
| On-Demand Hotfix for SP2 CU #4 KB #4482972 |
13.0.5237.0 | 2018-12-20 | 3 | |
| The KB article says 13.0.5239.0 but when I installed this build I ended up with 13.0.5237.0. | ||||
| Cumulative Update #4 | 13.0.5233.0 | 2018-11-13 | 42 (36) | |
| Hotfix #4466793 Hotfix #4466994 |
13.0.5221.0 | 2018-10-09 | 2 | |
| Cumulative Update #3 | 13.0.5216.0 | 2018-09-20 | 41 (27) | |
| DO NOT USE – see the warning in KB #4458871. | ||||
| CVE-2018-8273 (CU) KB #4458621 (Download) |
13.0.5201.2 | 2018-08-20 | 1 | |
| CVE-2018-8273 KB #4293807 (Pulled) |
13.0.5161.0 | 2018-08-14 | 1 | |
| Cumulative Update #2 | 13.0.5153.0 | 2018-07-16 | 29 (21) | |
| Cumulative Update #1 | 13.0.5149.0 | 2018-06-27 | 45 (28) | |
|
SP2 GDR builds below – for non-CU path (don't do this)
|
||||
| GDR Security Update (CVE-2021-1636) |
13.0.5103.6 | 2021-01-12 | 1 | |
This security update addresses an escalation of privilege vulnerability described in CVE-2021-1636. It is also being pushed via Windows Update, so you may get this sooner than you expect it. |
||||
| GDR Security Update (CVE-2020-0618) |
13.0.5102.14 | 2020-02-11 | 1 | |
| Fixes a remote code execution vulnerability in Reporting Services. | ||||
| GDR Security Update (CVE-2019-1068) |
13.0.5101.9 | 2019-07-09 | 1 | |
| GDR Security Update (CVE-2018-8273) |
13.0.5081.1 | 2018-08-22 | 1 | |
| Service Pack 2 | 13.0.5026.0 | 2018-04-09 | 75 (75) | |
| Service Pack 1 – Out of Support | ||||
| Label | Build # | Date | Fixes (Public) | |
| CVE-2019-1068 Security Update |
13.0.4604.0 | 2019-07-09 | 1 | |
| KB #4508471 | 13.0.4577.0 | 2019-06-20 | 1 | |
| Cumulative Update #15 | 13.0.4574.0 | 2019-05-16 | 7 (7) | |
| Cumulative Update #14 | 13.0.4560.0 | 2019-03-19 | 7 (7) | |
| Cumulative Update #13 | 13.0.4550.1 | 2019-01-23 | 12 (9) | |
| Cumulative Update #12 | 13.0.4541.0 | 2018-11-13 | 21 (16) | |
| KB #4465443 | 13.0.4531.0 | 2018-09-27 | 1 | |
| Cumulative Update #11 | 13.0.4528.0 | 2018-09-17 | 14 (8) | |
| CVE-2018-8273 (CU) KB #4293808 (Download) |
13.0.4522.0 | 2018-08-14 | 1 | |
| Cumulative Update #10 | 13.0.4514.0 | 2018-07-16 | 26 (21) | |
| Cumulative Update #9 | 13.0.4502.0 | 2018-05-30 | 39 (25) | |
| Cumulative Update #8 | 13.0.4474.0 | 2018-03-19 | 57 (37) | |
| Cumulative Update #7 | 13.0.4466.4 | 2018-01-03 | 29 (22) | |
| Cumulative Update #6 | 13.0.4457.0 | 2017-11-21 | 55 (41) | |
| Cumulative Update #5 | 13.0.4451.0 | 2017-09-18 | 49 (44) | |
| Cumulative Update #4 | 13.0.4446.0 | 2017-08-08 | 63 (49) | |
| Cumulative Update #3 | 13.0.4435.0 | 2017-05-15 | 70 (57) | |
| Cumulative Update #2 | 13.0.4422.0 | 2017-03-20 | 117 (100) | |
| Cumulative Update #1 | 13.0.4411.0 | 2017-01-06 | 63 (55) | |
| SP1 GDR builds below – for non-CU path | ||||
| CVE-2019-1068 GDR Security Update |
13.0.4259.0 | 2019-07-09 | 1 | |
| CVE-2018-8273 (GDR) KB #4458842 (Download) |
13.0.4224.16 | 2018-08-22 | 1 | |
| The original release for the SP1 GDR security fix (below) caused an issue with CEIP, and so the patch was pulled and re-released (see this post). | ||||
| CVE-2018-8273 (GDR) KB #4293801 (Pulled) |
13.0.4223.10 | 2018-08-14 | 1 | |
| Security Advisory ADV180002 KB #4057118 (GDR) |
13.0.4210.6 | 2018-01-03 | 1 | |
| Security Bulletin CVE-2017-8516 KB #4019089 (GDR) |
13.0.4206.0 | 2017-07-16 | 1 | |
| COD Hotfix 3210089 (GDR – MDS Update) |
13.0.4202 | 2016-12-16 | 3 (3) | |
| COD Hotfix 3207512 (GDR – SSRS Update) |
13.0.4199 | 2016-11-23 | 2 (2) | |
| Service Pack 1 | 13.0.4001 | 2016-11-16 | 33 (33) | |
| RTM – Out of Support | ||||
| Label | Build # | Date | Fixes (Public) | |
| Security Advisory ADV180002 KB #4058559 (CU) |
13.0.2218.0 | 2018-01-06 | 1 | |
| Cumulative Update #9 | 13.0.2216.0 | 2017-11-21 | 26 (21) | |
| Cumulative Update #8 | 13.0.2213.0 | 2017-09-18 | 19 (17) | |
| Cumulative Update #7 | 13.0.2210.0 | 2017-08-08 | 33 (30) | |
| Cumulative Update #6 | 13.0.2204.0 | 2017-05-15 | 28 (22) | |
| Cumulative Update #5 | 13.0.2197.0 | 2017-03-20 | 56 (47) | |
| Cumulative Update #4 | 13.0.2193.0 | 2017-01-18 | 65 (57) | |
| COD Hotfix for CU3 (MDS) | 13.0.2190.2 | 2016-12-16 | 3 (3) | |
| Cumulative Update #3 Security Bulletin MS16-136 KB #3194717 |
13.0.2186.6 | 2016-11-08 | 31 (31) | |
| COD Hotfix 3199171 | 13.0.2170.0 | 2016-11-01 | 4 (4) | |
| COD Hotfix 3195813 | 13.0.2169.0 | 2016-10-26 | 4 (4) | |
| Cumulative Update #2 | 13.0.2164.0 | 2016-09-22 | 68 (64) | |
| Cumulative Update #1 | 13.0.2149.0 | 2016-07-25 | 192 (146) | |
| RTM & GDR builds below – for non-CU path | ||||
| Security Advisory ADV180002 KB #4058560 (GDR) |
13.0.1745.2 | 2018-01-06 | 1 | |
| Security Bulletin CVE-2017-8516 KB #4019088 (GDR) |
13.0.1742.0 | 2017-07-16 | 1 | |
| GDR Update (MDS) | 13.0.1728.2 | 2016-12-16 | 3 (3) | |
| Security Bulletin MS16-136 KB #3194716 |
13.0.1722.0 | 2016-11-08 | 1 | |
| GDR for SSAS KB #3179258 |
13.0.1711.0 | 2016-08-17 | 1 | |
| MSVCRT GDR (KB #3164398) |
13.0.1708.0 | 2016-06-04 | 1 | |
| RTM | 13.0.1601.5 | 2016-06-01 | ||
