How to patch Microsoft SQL Server
Microsoft · Database · 6 steps · Microsoft SQL Server security status → · updated June 2026
SQL Server is serviced with Cumulative Updates (CUs) for each major version (Service Packs were retired after SQL 2016). Back up your databases, install the latest CU for your version, and for Always On availability groups patch the secondary first to minimise downtime.
Microsoft SQL Server has 2 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent.
Check your current version first
Before you patch, record what you're running (T-SQL):
SELECT @@VERSION; —or— SELECT SERVERPROPERTY('ProductVersion'), SERVERPROPERTY('ProductLevel');Or paste your version into the checker for an instant verdict.
Step by step
Run SELECT @@VERSION (or SERVERPROPERTY) to record the major version, edition and current build.
Look up the newest CU for your major version on the Microsoft SQL Server build/version list, and read its notes.
Back up all databases (system and user) and ideally snapshot the host before patching.
Download the CU from the Microsoft Download Center / Update Catalog and run the installer (GUI or /quiet). Reboot if prompted.
For Always On availability groups: patch a secondary replica, fail over to it, then patch the former primary — this keeps downtime to a single failover.
Confirm with SELECT SERVERPROPERTY('ProductVersion') that the build advanced to the patched CU.
- Service Packs no longer exist for current SQL Server — Cumulative Updates are the servicing model.
- Always back up databases before a CU; test restores periodically.
Official sources
- Advisory: Microsoft Security Update Guide ↗
- Download: Latest SQL Server updates (Microsoft Learn) ↗
Don't patch blind. Microsoft SQL Server has 2 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.
Microsoft SQL Server security status →Stay ahead of the next one
- Microsoft SQL Server security status & health score — score, open CVEs and safe version.
- Microsoft SQL Server vulnerabilities — the full CVE list and what's exploited.
- Microsoft SQL Server end-of-life dates — don't run a release that's stopped getting fixes.
- Monitor Microsoft SQL Server — get an email alert the moment a new exploited vulnerability lands.
Frequently asked questions
What is the latest version of Microsoft SQL Server?
As of June 2026, the latest supported Microsoft SQL Server release we track is 17.0.4045.5 CU5. Patch to the current release on your branch and confirm the version after updating.
How do I check which version of Microsoft SQL Server I am running?
Use: SELECT @@VERSION; —or— SELECT SERVERPROPERTY('ProductVersion'), SERVERPROPERTY('ProductLevel'); (T-SQL). Record the result before and after patching to confirm the update applied.
Is Microsoft SQL Server being actively exploited right now?
Yes — 2 Microsoft SQL Server vulnerabilities are on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using them in the wild. Patch promptly. See the exploitation radar.
How do I patch Microsoft SQL Server safely without breaking production?
Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.
Patch steps are general, well-established guidance for Microsoft SQL Server — always test in a non-production environment first and follow the official Microsoft advisory for your exact version. IsItPatched is independent and not affiliated with Microsoft; this is not a substitute for vendor documentation. See our disclaimer.