SQL Server 2016 SP2 CU6: The Update with Significant Changes

SQL Server 2016 SP2 Cumulative Update 6 (CU6) is a significant patch release that addresses over 50 bug fixes, closes a notable security vulnerability, and delivers stability improvements across several core SQL Server components. If you're running SQL Server 2016 SP2 in production, this update warrants your attention.

The original article on this topic was thin on detail. This rewrite gives you the full picture: what changed, why it matters, and how to approach deployment safely.

What Is SQL Server 2016 SP2 CU6?

Cumulative Updates are Microsoft's primary mechanism for delivering post-Service Pack fixes to SQL Server. Unlike Service Packs, which are infrequent and comprehensive, CUs are released on a regular cadence and address specific, targeted issues. SQL Server 2016 SP2 CU6 (KB5005674) was released by Microsoft and sits on top of SQL Server 2016 Service Pack 2, which itself was a substantial update to the 2016 branch.

CU6 is not a routine housekeeping release. The combination of a security fix, Always On improvements, and backup/restore reliability changes makes this one worth prioritising over a standard patch cycle.

What Does SQL Server 2016 SP2 CU6 Fix?

The update addresses more than 50 individual bug fixes. The fixes span several critical areas of SQL Server functionality.

Always On Availability Groups received multiple fixes in this update. Always On is one of the most operationally complex features in SQL Server, and bugs in this area can have serious consequences for high availability environments. If your organisation relies on Availability Groups for disaster recovery or read-scale workloads, CU6 addresses known issues that could affect failover behaviour and replica synchronisation.

Database backup and restore reliability is also improved. Backup and restore are arguably the most important operational functions in any SQL Server environment. Bugs here are not academic. A failed restore when you need it most is a catastrophic outcome, and any fix in this area should be taken seriously.

Security updates are included, which is discussed in more detail below.

Beyond these headline areas, the remaining fixes cover a broad range of SQL Server components including query processing, in-memory OLTP, replication, and the SQL Server Agent. The full list of fixes is documented in the Microsoft Knowledge Base article KB5005674.

What Is the Security Vulnerability Fixed in CU6?

One of the more significant changes in SQL Server 2016 SP2 CU6 involves the remote query timeout option. Microsoft removed support for this option to address a security vulnerability that could allow a remote attacker to execute a denial-of-service (DoS) attack against SQL Server by sending a specially crafted query.

The mechanism of the attack relied on the remote query timeout configuration behaving in a way that could be exploited to exhaust server resources. By removing this option, Microsoft closed the attack surface.

If your applications or middleware currently rely on the remote query timeout setting, you will need to update them to use the query timeout options available in your application framework or connection library. Most modern .NET, JDBC, and ODBC drivers expose query timeout settings at the connection or command level, and these should be used in place of the now-removed server-side option.

This is worth communicating to your development team before deploying CU6 to production. It's a breaking change for any application that explicitly depends on that server configuration option.

How Should You Approach Deploying This Update?

Deploying any cumulative update to a production SQL Server environment requires a structured approach. Rushing a patch into production without testing is one of the more common ways organisations create self-inflicted outages.

Follow these steps when deploying SQL Server 2016 SP2 CU6:

Review the KB article in full. Read Microsoft's KB5005674 documentation and identify any fixes relevant to your specific workloads. Pay particular attention to the remote query timeout change and assess whether any of your applications are affected.
Deploy to a non-production environment first. Install CU6 on a development or UAT instance that mirrors your production configuration as closely as possible. Run your standard regression tests and application smoke tests against it.
Test backup and restore. After applying the update, run a full backup and restore cycle in your test environment. Verify that backups complete successfully and that restores produce a consistent, usable database.
Validate Always On behaviour. If you're running Availability Groups, test a manual failover in your non-production environment after applying the update. Confirm that failover completes cleanly and that replicas resynchronise as expected.
Check application connectivity. Specifically test any application paths that may have used the remote query timeout option. Confirm that timeout behaviour is working correctly via your application-level settings.
Schedule a maintenance window for production. Apply the update during a scheduled maintenance window. Notify stakeholders in advance, particularly if your environment has strict availability requirements.
Monitor post-deployment. After applying CU6 to production, monitor SQL Server error logs, Windows Event Logs, and your performance baselines for at least 48 to 72 hours. Look for any unexpected behaviour in query execution plans, replication latency, or AG replica states.

Where Do You Download SQL Server 2016 SP2 CU6?

You can obtain the update through two primary channels:

Microsoft Download Center - Download the update package directly and apply it manually. This gives you full control over timing and sequencing.
Microsoft Update / WSUS - The update can be delivered through Windows Update channels if your SQL Server instances are configured to receive SQL Server updates this way.

The official Microsoft documentation for this release is available at KB5005674 on the Microsoft Support site. Always download cumulative updates directly from Microsoft sources. Do not use third-party mirrors or redistributions.

Is SQL Server 2016 Still Worth Patching?

This is a fair question. SQL Server 2016 reached end of mainstream support in July 2021, though extended support runs until July 2026. If you're still running SQL Server 2016 in production, you should have a migration roadmap in place. But until that migration happens, keeping your instances fully patched is non-negotiable.

Running an unpatched SQL Server 2016 instance, particularly one with known security vulnerabilities, is an unacceptable risk in any environment handling sensitive data. Extended support still includes security updates, and you should be applying them.

If you haven't already moved to SQL Server 2019 or SQL Server 2022, now is the time to start planning that transition. Both releases offer substantial improvements in performance, security, and manageability.

Key Takeaways

SQL Server 2016 SP2 CU6 (KB5005674) addresses more than 50 bug fixes across Always On Availability Groups, backup and restore, security, and other core components.
A security vulnerability related to the remote query timeout option has been closed by removing support for that configuration option. Applications depending on it will need to be updated.
Always test cumulative updates in a non-production environment before deploying to production. This is not optional.
SQL Server 2016 is in extended support until July 2026. Patching remains mandatory, but a migration plan to a current version should be in progress.
Follow a structured deployment process: review, test, validate, schedule, deploy, and monitor.

Keeping SQL Server environments patched and healthy is one of the most important things you can do to protect your data and maintain system stability. At DBA Services, our managed SQL Server support includes patch assessment, testing, and deployment as part of our standard service. If your team doesn't have the capacity to manage this properly, or if you want a second opinion on your current patch posture, get in touch with our team for a SQL Server health check.

Need help with your SQL Servers?

Find out what's really going on inside your SQL Server environment.
Our health checks uncover critical misconfigurations in 97% of reviews.

Get an Obligation-Free Quote Call 1800 SQL DBACall 1800 775 322

SQL Server 2016 SP2 CU6: The Update with Significant Changes and Important Security Updates

What Is SQL Server 2016 SP2 CU6?

What Does SQL Server 2016 SP2 CU6 Fix?

What Is the Security Vulnerability Fixed in CU6?

How Should You Approach Deploying This Update?

Where Do You Download SQL Server 2016 SP2 CU6?

Is SQL Server 2016 Still Worth Patching?

Key Takeaways

Need help with your SQL Servers?

More from the blog

Boost SQL Server Performance with AI-Assisted Query Optimisation Tools

Proactive Security for SQL Server: Mitigating CVEs and Protecting Your Data

Leverage SQL Server 2022's New Functions for Enhanced Data Analysis and Performance

SQL Server insights, monthly.