Last updated: February 26th, 2020
SQL Server 2016 was originally released on June 1st, 2016. It is the last major version of SQL Server to provide servicing explicitly through Service Packs (2017 & 2019 both only have GDR & Cumulative Update branches).
I highly recommend being on Service Pack 2, as the Service Pack 1 and RTM branches have been retired (meaning they will receive no further updates outside of critical security patches). To see why you want to be on at least Service Pack 1, read this post and this post.
You can always download the latest CU for the SP2 branch here; see the table below for the latest updates for the other branches.
| Service Pack 2 | ||||
| Label | Build # | Date | Fixes (Public) | |
|---|---|---|---|---|
| Cumulative Update #12 | 13.0.5698.0 | 2020-02-25 | 39 (33) | |
| Security Update (CVE-2020-0618) |
13.0.5622.0 | 2020-02-11 | 1 | |
| Fixes a remote code execution vulnerability in Reporting Services. | ||||
| Cumulative Update #11 | 13.0.5598.27 | 2019-12-09 | 29 (26) | |
| Cumulative Update #10 | 13.0.5492.2 | 2019-10-08 | 21 (21) | |
| Cumulative Update #9 | 13.0.5479.0 | 2019-09-30 | 21 (21) | |
| CU #9 was quickly replaced – please move to a later CU. | ||||
| Cumulative Update #8 | 13.0.5426.0 | 2019-07-31 | 33 (28) | |
| Cumulative Update #7 On-Demand Package #2 |
13.0.5382.0 | 2019-07-09 | 1 | |
| Security Update (CVE-2019-1068) |
13.0.5366.0 | 2019-07-09 | 1 | |
| Cumulative Update #7 On-Demand Package #1 |
13.0.5343.1 | 2019-06-24 | 2 (2) | |
| Cumulative Update #7 | 13.0.5337.0 | 2019-05-22 | 28 (27) | |
| Cumulative Update #6 | 13.0.5292.0 | 2019-03-19 | 29 (24) | |
| Cumulative Update #5 | 13.0.5264.1 | 2019-01-23 | 52 (43) | |
| On-Demand Hotfix for SP2 CU #4 KB #4482972 |
13.0.5237.0 | 2018-12-20 | 3 (3) | |
| Cumulative Update #4 | 13.0.5233.0 | 2018-11-13 | 42 (36) | |
| Cumulative Update #3 | 13.0.5216.0 | 2018-09-20 | 41 (27) | |
| DO NOT USE – see the warning in KB #4458871. | ||||
| CVE-2018-8273 (CU) KB #4458621 (Download) |
13.0.5201.2 | 2018-08-20 | 1 | |
| CVE-2018-8273 KB #4293807 (Pulled) |
13.0.5161.0 | 2018-08-14 | 1 | |
| Cumulative Update #2 | 13.0.5153.0 | 2018-07-16 | 29 (21) | |
| Cumulative Update #1 | 13.0.5149.0 | 2018-06-27 | 45 (28) | |
|
SP2 GDR builds below – for non-CU path (don't do this)
|
||||
| GDR Security Update (CVE-2020-0618) |
13.0.5102.14 | 2020-02-11 | 1 | |
| Fixes a remote code execution vulnerability in Reporting Services. | ||||
| GDR Security Update (CVE-2019-1068) |
13.0.5101.9 | 2019-07-09 | 1 | |
| GDR Security Update (CVE-2018-8273) |
13.0.5081.1 | 2018-08-22 | 1 | |
| Service Pack 2 | 13.0.5026.0 | 2018-04-09 | 75 (75) | |
| Service Pack 1 – Out of Support | ||||
| Label | Build # | Date | Fixes (Public) | |
| CVE-2019-1068 Security Update |
13.0.4604.0 | 2019-07-09 | 1 | |
| Cumulative Update #15 | 13.0.4574.0 | 2019-05-16 | 7 (7) | |
| Cumulative Update #14 | 13.0.4560.0 | 2019-03-19 | 7 (7) | |
| Cumulative Update #13 | 13.0.4550.1 | 2019-01-23 | 12 (9) | |
| Cumulative Update #12 | 13.0.4541.0 | 2018-11-13 | 21 (16) | |
| Cumulative Update #11 | 13.0.4528.0 | 2018-09-17 | 14 (8) | |
| CVE-2018-8273 (CU) KB #4293808 (Download) |
13.0.4522.0 | 2018-08-14 | 1 | |
| Cumulative Update #10 | 13.0.4514.0 | 2018-07-16 | 26 (21) | |
| Cumulative Update #9 | 13.0.4502.0 | 2018-05-30 | 39 (25) | |
| Cumulative Update #8 | 13.0.4474.0 | 2018-03-19 | 57 (37) | |
| Cumulative Update #7 | 13.0.4466.4 | 2018-01-03 | 29 (22) | |
| Cumulative Update #6 | 13.0.4457.0 | 2017-11-21 | 55 (41) | |
| Cumulative Update #5 | 13.0.4451.0 | 2017-09-18 | 49 (44) | |
| Cumulative Update #4 | 13.0.4446.0 | 2017-08-08 | 63 (49) | |
| Cumulative Update #3 | 13.0.4435.0 | 2017-05-15 | 70 (57) | |
| Cumulative Update #2 | 13.0.4422.0 | 2017-03-20 | 117 (100) | |
| Cumulative Update #1 | 13.0.4411.0 | 2017-01-06 | 63 (55) | |
| SP1 GDR builds below – for non-CU path | ||||
| CVE-2019-1068 GDR Security Update |
13.0.4259.0 | 2019-07-09 | 1 | |
| CVE-2018-8273 (GDR) KB #4458842 (Download) |
13.0.4224.16 | 2018-08-22 | 1 | |
| The original release for the SP1 GDR security fix (below) caused an issue with CEIP, and so the patch was pulled and re-released (see this post). | ||||
| CVE-2018-8273 (GDR) KB #4293801 (Pulled) |
13.0.4223.10 | 2018-08-14 | 1 | |
| Security Advisory ADV180002 KB #4057118 (GDR) |
13.0.4210.6 | 2018-01-03 | 1 | |
| Security Bulletin CVE-2017-8516 KB #4019089 (GDR) |
13.0.4206.0 | 2017-07-16 | 1 | |
| COD Hotfix 3210089 (GDR – MDS Update) |
13.0.4202 | 2016-12-16 | 3 (3) | |
| COD Hotfix 3207512 (GDR – SSRS Update) |
13.0.4199 | 2016-11-23 | 2 (2) | |
| Service Pack 1 | 13.0.4001 | 2016-11-16 | 33 (33) | |
| RTM – Out of Support | ||||
| Label | Build # | Date | Fixes (Public) | |
| Security Advisory ADV180002 KB #4058559 (CU) |
13.0.2218.0 | 2018-01-06 | 1 | |
| Cumulative Update #9 | 13.0.2216.0 | 2017-11-21 | 26 (21) | |
| Cumulative Update #8 | 13.0.2213.0 | 2017-09-18 | 19 (17) | |
| Cumulative Update #7 | 13.0.2210.0 | 2017-08-08 | 33 (30) | |
| Cumulative Update #6 | 13.0.2204.0 | 2017-05-15 | 28 (22) | |
| Cumulative Update #5 | 13.0.2197.0 | 2017-03-20 | 56 (47) | |
| Cumulative Update #4 | 13.0.2193.0 | 2017-01-18 | 65 (57) | |
| COD Hotfix for CU3 (MDS) | 13.0.2190.2 | 2016-12-16 | 3 (3) | |
| Cumulative Update #3 Security Bulletin MS16-136 KB #3194717 |
13.0.2186.6 | 2016-11-08 | 31 (31) | |
| COD Hotfix 3199171 | 13.0.2170.0 | 2016-11-01 | 4 (4) | |
| COD Hotfix 3195813 | 13.0.2169.0 | 2016-10-26 | 4 (4) | |
| Cumulative Update #2 | 13.0.2164.0 | 2016-09-22 | 68 (64) | |
| Cumulative Update #1 | 13.0.2149.0 | 2016-07-25 | 192 (146) | |
| RTM & GDR builds below – for non-CU path | ||||
| Security Advisory ADV180002 KB #4058560 (GDR) |
13.0.1745.2 | 2018-01-06 | 1 | |
| Security Bulletin CVE-2017-8516 KB #4019088 (GDR) |
13.0.1742.0 | 2017-07-16 | 1 | |
| GDR Update (MDS) | 13.0.1728.2 | 2016-12-16 | 3 (3) | |
| Security Bulletin MS16-136 KB #3194716 |
13.0.1722.0 | 2016-11-08 | 1 | |
| MSVCRT GDR (KB #3164398) |
13.0.1708.0 | 2016-06-04 | 1 | |
| RTM | 13.0.1601.5 | 2016-06-01 | ||
