New Updates for SQL Server 2017 and SQL Server 2016 SP2: CU15 and CU7 for Improved Stability and Security

SQL Server 2017 CU15 and SQL Server 2016 SP2 CU7: What You Need to Know

Keeping SQL Server patched isn't optional. Unpatched instances are a leading cause of security incidents and stability problems in production environments, and cumulative updates are Microsoft's primary mechanism for delivering fixes between major releases. SQL Server 2017 Cumulative Update 15 (CU15) and SQL Server 2016 Service Pack 2 Cumulative Update 7 (CU7) both address real, documented bugs that affect production systems running these versions today.

If you're managing SQL Server 2017 or SQL Server 2016 SP2 in your environment, here's what these updates contain, why they matter, and how to approach deployment safely.

What Does SQL Server 2017 CU15 Fix?

SQL Server 2017 CU15 (KB5005680) includes over 30 bug fixes across a range of functional areas. That's not a trivial number. The fixes span some of the most operationally critical components in SQL Server.

Key areas addressed in this cumulative update include:

• Always On Availability Groups - fixes for issues that could affect failover behaviour and replica synchronisation
• Database backup and restore - corrections to bugs that could impact backup reliability and restore operations
• Security updates - patches addressing vulnerabilities in the SQL Server engine
• SQL Server Agent - fixes for job scheduling and execution reliability
• In-Memory OLTP - corrections to memory-optimised table behaviour under certain workloads
• Replication - bug fixes affecting transactional and merge replication scenarios

The Always On and backup/restore fixes deserve particular attention. These aren't cosmetic issues. Bugs in availability group behaviour can affect your RPO and RTO during a failover. Backup and restore bugs can mean the difference between a successful recovery and a failed one when it matters most.

Microsoft's full list of fixes for SQL Server 2017 CU15 is documented at KB5005680 on the Microsoft Support site.

What Does SQL Server 2016 SP2 CU7 Fix?

SQL Server 2016 SP2 CU7 (KB5005675) includes over 20 bug fixes, with a focus on performance and query execution reliability. The query optimiser improvements in this update are worth noting specifically, as they can affect execution plan quality and overall workload performance without any changes to your queries or indexes.

Key areas addressed in this cumulative update include:

• Query optimiser improvements - corrections that can affect plan selection and query performance
• Query execution reliability - fixes for issues that could cause incorrect results or unexpected errors under specific conditions
• Performance improvements - targeted fixes for CPU and memory usage under certain workloads
• Windows and .NET Framework compatibility - updates to ensure SQL Server 2016 SP2 operates correctly on current versions of the underlying platform
• Columnstore index behaviour - fixes for issues affecting columnstore queries and maintenance

The compatibility updates for Windows and .NET Framework are easy to overlook but genuinely matter. As your underlying Windows Server environment is patched and updated, SQL Server needs to remain compatible with those changes. Falling behind on SQL Server cumulative updates while keeping Windows current can introduce unexpected interaction issues.

Microsoft's full list of fixes for SQL Server 2016 SP2 CU7 is documented at KB5005675 on the Microsoft Support site.

How Should You Deploy These Updates?

This is where organisations consistently make mistakes. Downloading and applying a cumulative update directly to production without testing is a risk that's entirely avoidable.

Follow this process for deploying SQL Server cumulative updates safely:

1. Review the KB article - Read through the documented fixes. Identify whether any of the bugs fixed are issues you've actually encountered. This gives you a clearer picture of the risk/benefit calculation for your environment.

2. Check for known issues - Microsoft occasionally documents known issues introduced by a cumulative update in the same KB article. Read the full article, not just the fixes list.

3. Test in a non-production environment first - Deploy the update to a dev or test instance that mirrors your production configuration as closely as possible. Run your standard workloads and any critical queries. Give it at least a few days before proceeding.

4. Back up everything before patching production - Take a full backup of all user databases and system databases (including master, msdb, and model) immediately before applying the update to production. This is non-negotiable.

5. Plan for a maintenance window - Cumulative updates require a SQL Server service restart. Coordinate with your application teams and schedule downtime accordingly.

6. Apply to production and validate - After applying the update, verify that SQL Server has started correctly, check the SQL Server error log for any new errors, and confirm that your key workloads are running as expected.

7. Document the change - Record the update version, date applied, and who performed the work. This matters for compliance and for future troubleshooting.

How Do You Check Your Current SQL Server Patch Level?

Before you can plan a patching exercise, you need to know exactly what version you're running. Run this query against any SQL Server instance to get the current version and patch level:

SELECT
    @@SERVERNAME AS ServerName,
    @@VERSION AS FullVersion,
    SERVERPROPERTY('ProductVersion') AS ProductVersion,
    SERVERPROPERTY('ProductLevel') AS ProductLevel,
    SERVERPROPERTY('ProductUpdateLevel') AS UpdateLevel,
    SERVERPROPERTY('Edition') AS Edition;

The ProductVersion value will return something like 14.0.3381.3 for SQL Server 2017. The build number (the third component) maps to a specific cumulative update. You can cross-reference this against Microsoft's published build list to confirm exactly which CU is installed.

SQL Server 2017 uses major version number 14. SQL Server 2016 uses major version number 13. If you're seeing version numbers that don't match current cumulative updates, your instances are behind on patching.

Why Does Staying Current on Cumulative Updates Matter?

Some organisations treat cumulative updates as optional or defer them indefinitely. That approach carries real risk.

From a security perspective, SQL Server vulnerabilities are documented publicly once patches are released. An unpatched instance running a known vulnerable build is a documented target. The longer you defer, the larger the gap between your current build and the patched version, and the more vulnerabilities you're exposed to.

From a stability perspective, cumulative updates fix bugs that are actively causing problems for SQL Server customers. If you're experiencing unexplained errors, performance anomalies, or inconsistent behaviour, there's a reasonable chance a CU contains a fix for your exact issue. Many DBAs have spent days troubleshooting a problem that a CU would have resolved in minutes.

Microsoft recommends applying the latest cumulative update for your SQL Server version as a general best practice. Their servicing model for SQL Server is designed around cumulative updates being safe to apply, but that doesn't mean testing should be skipped.

Key Takeaways

• SQL Server 2017 CU15 (KB5005680) addresses over 30 bugs including critical fixes for Always On Availability Groups, backup and restore, and security vulnerabilities.
• SQL Server 2016 SP2 CU7 (KB5005675) addresses over 20 bugs with notable improvements to the query optimiser, query execution reliability, and platform compatibility.
• Always test cumulative updates in a non-production environment before deploying to production. Take full backups immediately before patching.
• Use SERVERPROPERTY('ProductUpdateLevel') to quickly confirm the current patch level on any SQL Server instance.
• Deferring cumulative updates exposes your environment to known, documented security vulnerabilities and unresolved stability bugs.

Staying on top of SQL Server patching is one of the most straightforward ways to reduce operational risk, but it requires a consistent process and someone accountable for tracking new releases. If your team doesn't have the capacity to monitor and manage SQL Server patching across your environment, DBA Services provides managed SQL Server support that includes proactive patch management, health checks, and update deployment as part of our standard service. Get in touch to find out how we can help keep your SQL Server environment secure and stable.