SQL Server 2016 was originally released on June 1st, 2016. It is the last major version of SQL Server to provide servicing explicitly through Service Packs (2017 & 2019 both only have GDR & Cumulative Update branches).
After SQL Server 2016 went out of mainstream support on July 13th, 2021, Microsoft has made a final service pack available. Download here and see the announcement blog post here.
I highly recommend being on Service Pack 3, as the other branches have been retired, though there will be no further updates to any branch outside of critical security patches. To see why you want to be on at least Service Pack 1, read this post and this post.
| Service Pack 3 + Azure Connect Feature Pack | ||||
| In May 2022, Microsoft released an optional feature pack with a number of enhancements, mostly to aid interop with Azure SQL Managed Instance. This bumps the engine version to 13.0.7000+ | ||||
| Label | Build # | Date | Fixes | |
|---|---|---|---|---|
| CVE-2022-29143 | 13.0.7016.1 | 2022-06-14 | 1 | |
From the CVE: "An authenticated attacker could exploit the vulnerability by executing a specially crafted query using $ partition against a table with a Column Store index." |
||||
| Azure Connect Feature Pack | 13.0.7000.253 | 2022-05-19 | 5 | |
| Service Pack 3 | ||||
| Label | Build # | Date | Fixes | |
| CVE-2022-29143 | 13.0.6419.1 | 2022-06-14 | 1 | |
From the CVE: "An authenticated attacker could exploit the vulnerability by executing a specially crafted query using $ partition against a table with a Column Store index." |
||||
| On-Demand Hotfix Package #5006943 | 13.0.6404.1 | 2021-10-28 | 2 | |
| This isn't a critical issue for all customers but, if you use Change Tracking or FileTable, it's worth checking out. | ||||
| Service Pack 3 | 13.0.6300.2 | 2021-09-15 | 43 | |
| Service Pack 2 – Out of Support (but click if really you want to see) | ||||
| Label | Build # | Date | Fixes (Public) | |
| CVE-2022-29143 | 13.0.5893.48 | 2022-06-14 | 1 | |
From the CVE: "An authenticated attacker could exploit the vulnerability by executing a specially crafted query using $ partition against a table with a Column Store index." |
||||
| Cumulative Update #17 | 13.0.5888.11 | 2021-03-29 | 20 (17) | |
| Cumulative Update #16 | 13.0.5882.1 | 2021-02-11 | 22 (21) | |
| Security Update for CU #15 CVE-2021-1636 |
13.0.5865.1 | 2021-01-12 | 1 | |
This security update addresses an escalation of privilege vulnerability described in CVE-2021-1636. It is also being pushed via Windows Update, so you may get this sooner than you expect it. |
||||
| Cumulative Update #15 | 13.0.5850.14 | 2020-09-28 | 21 (20) | |
| Cumulative Update #14 | 13.0.5830.85 | 2020-08-06 | 18 (16) | |
| Cumulative Update #13 | 13.0.5820.21 | 2020-05-28 | 29 (26) | |
| Cumulative Update #12 | 13.0.5698.0 | 2020-02-25 | 39 (33) | |
| Security Update (CVE-2020-0618) |
13.0.5622.0 | 2020-02-11 | 1 | |
| Fixes a remote code execution vulnerability in Reporting Services. | ||||
| Cumulative Update #11 | 13.0.5598.27 | 2019-12-09 | 29 (26) | |
| Cumulative Update #10 | 13.0.5492.2 | 2019-10-08 | 21 (21) | |
| Cumulative Update #9 | 13.0.5479.0 | 2019-09-30 | 21 (21) | |
| ⚠️ CU #9 was quickly replaced – please move to a later CU. | ||||
| Cumulative Update #8 | 13.0.5426.0 | 2019-07-31 | 33 (28) | |
| Cumulative Update #7 On-Demand Package #2 |
13.0.5382.0 | 2019-07-09 | 1 | |
| Security Update (CVE-2019-1068) |
13.0.5366.0 | 2019-07-09 | 1 | |
| Cumulative Update #7 On-Demand Package #1 |
13.0.5343.1 | 2019-06-24 | 2 | |
| Cumulative Update #7 | 13.0.5337.0 | 2019-05-22 | 28 (27) | |
| Cumulative Update #6 | 13.0.5292.0 | 2019-03-19 | 29 (24) | |
| On-Demand Hotfix for SP2 CU #5 KB #4490133 |
13.0.5270.0 | 2019-02-20 | 1 | |
| Cumulative Update #5 | 13.0.5264.1 | 2019-01-23 | 52 (43) | |
| On-Demand Hotfix for SP2 CU #4 KB #4482972 |
13.0.5237.0 | 2018-12-20 | 3 | |
| The KB article says 13.0.5239.0 but when I installed this build I ended up with 13.0.5237.0. | ||||
| Cumulative Update #4 | 13.0.5233.0 | 2018-11-13 | 42 (36) | |
| Hotfix #4466793 Hotfix #4466994 |
13.0.5221.0 | 2018-10-09 | 2 | |
| Cumulative Update #3 | 13.0.5216.0 | 2018-09-20 | 41 (27) | |
| ⚠️ DO NOT USE – see the warning in KB #4458871. | ||||
| CVE-2018-8273 (CU) KB #4458621 (Download) |
13.0.5201.2 | 2018-08-20 | 1 | |
| CVE-2018-8273 KB #4293807 (Pulled) |
13.0.5161.0 | 2018-08-14 | 1 | |
| Cumulative Update #2 | 13.0.5153.0 | 2018-07-16 | 29 (21) | |
| Cumulative Update #1 | 13.0.5149.0 | 2018-06-27 | 45 (28) | |
|
SP2 GDR builds below – for non-CU path (don't do this)
|
||||
| CVE-2022-29143 | 13.0.5108.50 | 2022-06-14 | 1 | |
From the CVE: "An authenticated attacker could exploit the vulnerability by executing a specially crafted query using $ partition against a table with a Column Store index." |
||||
| GDR Security Update (CVE-2021-1636) |
13.0.5103.6 | 2021-01-12 | 1 | |
This security update addresses an escalation of privilege vulnerability described in CVE-2021-1636. It is also being pushed via Windows Update, so you may get this sooner than you expect it. |
||||
| GDR Security Update (CVE-2020-0618) |
13.0.5102.14 | 2020-02-11 | 1 | |
| Fixes a remote code execution vulnerability in Reporting Services. | ||||
| GDR Security Update (CVE-2019-1068) |
13.0.5101.9 | 2019-07-09 | 1 | |
| GDR Security Update (CVE-2018-8273) |
13.0.5081.1 | 2018-08-22 | 1 | |
| Service Pack 2 | 13.0.5026.0 | 2018-04-09 | 75 (75) | |
| Service Pack 1 – Out of Support (but click if really you want to see) | ||||
| Label | Build # | Date | Fixes (Public) | |
| CVE-2019-1068 Security Update |
13.0.4604.0 | 2019-07-09 | 1 | |
| KB #4508471 | 13.0.4577.0 | 2019-06-20 | 1 | |
| Cumulative Update #15 | 13.0.4574.0 | 2019-05-16 | 7 (7) | |
| Cumulative Update #14 | 13.0.4560.0 | 2019-03-19 | 7 (7) | |
| Cumulative Update #13 | 13.0.4550.1 | 2019-01-23 | 12 (9) | |
| Cumulative Update #12 | 13.0.4541.0 | 2018-11-13 | 21 (16) | |
| KB #4465443 | 13.0.4531.0 | 2018-09-27 | 1 | |
| Cumulative Update #11 | 13.0.4528.0 | 2018-09-17 | 14 (8) | |
| CVE-2018-8273 (CU) KB #4293808 (Download) |
13.0.4522.0 | 2018-08-14 | 1 | |
| Cumulative Update #10 | 13.0.4514.0 | 2018-07-16 | 26 (21) | |
| Cumulative Update #9 | 13.0.4502.0 | 2018-05-30 | 39 (25) | |
| Cumulative Update #8 | 13.0.4474.0 | 2018-03-19 | 57 (37) | |
| Cumulative Update #7 | 13.0.4466.4 | 2018-01-03 | 29 (22) | |
| Cumulative Update #6 | 13.0.4457.0 | 2017-11-21 | 55 (41) | |
| Cumulative Update #5 | 13.0.4451.0 | 2017-09-18 | 49 (44) | |
| Cumulative Update #4 | 13.0.4446.0 | 2017-08-08 | 63 (49) | |
| Cumulative Update #3 | 13.0.4435.0 | 2017-05-15 | 70 (57) | |
| Cumulative Update #2 | 13.0.4422.0 | 2017-03-20 | 117 (100) | |
| Cumulative Update #1 | 13.0.4411.0 | 2017-01-06 | 63 (55) | |
| SP1 GDR builds below – for non-CU path | ||||
| CVE-2019-1068 GDR Security Update |
13.0.4259.0 | 2019-07-09 | 1 | |
| CVE-2018-8273 (GDR) KB #4458842 (Download) |
13.0.4224.16 | 2018-08-22 | 1 | |
| The original release for the SP1 GDR security fix (below) caused an issue with CEIP, and so the patch was pulled and re-released (see this post). | ||||
| CVE-2018-8273 (GDR) KB #4293801 (Pulled) |
13.0.4223.10 | 2018-08-14 | 1 | |
| Security Advisory ADV180002 KB #4057118 (GDR) |
13.0.4210.6 | 2018-01-03 | 1 | |
| Security Bulletin CVE-2017-8516 KB #4019089 (GDR) |
13.0.4206.0 | 2017-07-16 | 1 | |
| COD Hotfix 3210089 (GDR – MDS Update) |
13.0.4202 | 2016-12-16 | 3 (3) | |
| COD Hotfix 3207512 (GDR – SSRS Update) |
13.0.4199 | 2016-11-23 | 2 (2) | |
| Service Pack 1 | 13.0.4001 | 2016-11-16 | 33 (33) | |
| RTM – Out of Support (but click if really you want to see) | ||||
| Label | Build # | Date | Fixes (Public) | |
| Security Advisory ADV180002 KB #4058559 (CU) |
13.0.2218.0 | 2018-01-06 | 1 | |
| Cumulative Update #9 | 13.0.2216.0 | 2017-11-21 | 26 (21) | |
| Cumulative Update #8 | 13.0.2213.0 | 2017-09-18 | 19 (17) | |
| Cumulative Update #7 | 13.0.2210.0 | 2017-08-08 | 33 (30) | |
| Cumulative Update #6 | 13.0.2204.0 | 2017-05-15 | 28 (22) | |
| Cumulative Update #5 | 13.0.2197.0 | 2017-03-20 | 56 (47) | |
| Cumulative Update #4 | 13.0.2193.0 | 2017-01-18 | 65 (57) | |
| COD Hotfix for CU3 (MDS) | 13.0.2190.2 | 2016-12-16 | 3 (3) | |
| Cumulative Update #3 Security Bulletin MS16-136 KB #3194717 |
13.0.2186.6 | 2016-11-08 | 31 (31) | |
| COD Hotfix 3199171 | 13.0.2170.0 | 2016-11-01 | 4 (4) | |
| COD Hotfix 3195813 | 13.0.2169.0 | 2016-10-26 | 4 (4) | |
| Cumulative Update #2 | 13.0.2164.0 | 2016-09-22 | 68 (64) | |
| Cumulative Update #1 | 13.0.2149.0 | 2016-07-25 | 192 (146) | |
| RTM & GDR builds below – for non-CU path | ||||
| Security Advisory ADV180002 KB #4058560 (GDR) |
13.0.1745.2 | 2018-01-06 | 1 | |
| Security Bulletin CVE-2017-8516 KB #4019088 (GDR) |
13.0.1742.0 | 2017-07-16 | 1 | |
| GDR Update (MDS) | 13.0.1728.2 | 2016-12-16 | 3 (3) | |
| Security Bulletin MS16-136 KB #3194716 |
13.0.1722.0 | 2016-11-08 | 1 | |
| GDR for SSAS KB #3179258 |
13.0.1711.0 | 2016-08-17 | 1 | |
| MSVCRT GDR (KB #3164398) |
13.0.1708.0 | 2016-06-04 | 1 | |
| RTM | 13.0.1601.5 | 2016-06-01 | ||
