Microsoft released SQL Server 2016 SP2 Cumulative Update 5 (CU5) and SP1 Cumulative Update 13 (CU13) to address a combined total of over 70 bug fixes across both branches, covering replication, Always On availability groups, backup and restore, query optimiser improvements, and security hardening. If you're running SQL Server 2016 in production, these updates are worth your attention.

Cumulative updates don't always make headlines, but skipping them has a habit of catching organisations out. A bug that seems irrelevant today can become a critical incident the moment your workload shifts, your data volumes grow, or you enable a feature that triggers the underlying defect. Staying current with cumulative updates is one of the lowest-effort, highest-return maintenance tasks a DBA team can perform.

What's Included in SQL Server 2016 SP2 CU5?

SQL Server 2016 SP2 CU5 is the more substantial of the two releases, shipping with over 50 individual bug fixes. The fixes span several core functional areas:

  • Replication - Multiple fixes addressing transactional replication reliability, particularly around distributor behaviour and subscriber synchronisation under load.
  • Always On Availability Groups - Fixes for edge cases in failover logic and secondary replica redo thread performance, which matters significantly in high-availability environments with heavy write workloads.
  • Backup and restore - Corrections to backup metadata handling and restore operations, particularly relevant for environments using compressed or encrypted backups.
  • Security updates - Hardening fixes that address specific vulnerability disclosures. These alone are often sufficient justification for applying the update promptly.
  • General engine stability - A range of fixes targeting memory management, query execution, and error handling under specific conditions.

The SP2 branch is the recommended path for SQL Server 2016. If your environment is still on SP1, SP2 adoption should be a priority before applying further cumulative updates.

What's Included in SQL Server 2016 SP1 CU13?

SQL Server 2016 SP1 CU13 contains over 20 bug fixes, focused primarily on performance, high availability, and framework compatibility. Key areas addressed include:

  • Query optimiser improvements - Refinements to cardinality estimation and plan selection behaviour that can meaningfully affect query performance in complex workloads.
  • High availability fixes - Corrections to log shipping and availability group behaviour that could cause unexpected failovers or replication lag in specific configurations.
  • Windows and .NET Framework compatibility - Updates to ensure reliable operation on current versions of Windows Server and the .NET runtime, which matters for organisations running SQL Server alongside modern application stacks.
  • Performance fixes - Targeted corrections to tempdb contention, parallel query execution, and index maintenance operations.

It's worth noting that SP1 CU13 is one of the later cumulative updates for the SP1 branch. Microsoft's standard policy is to provide cumulative updates for the most recent service pack and the one prior. If you're still on SP1, now is a practical time to plan your migration to SP2, which gives you access to a broader set of fixes and a longer support runway.

Why Cumulative Updates Matter More Than People Think

There's a common misconception that cumulative updates are optional polish, something you apply when you have spare time. That's not how it works in practice.

SQL Server cumulative updates are the primary delivery mechanism for bug fixes between service packs. Microsoft doesn't backport fixes to older CU levels. If you're running SP2 CU2 and a bug was fixed in CU4, you're exposed to that bug regardless of how long you've been running SQL Server 2016. The fix simply doesn't exist in your build.

Security fixes compound this problem. Several of the fixes in both CU5 and CU13 address security-related issues. Running a version of SQL Server with known, publicly documented security vulnerabilities creates real risk, particularly in environments subject to compliance frameworks like the Australian Government's Essential Eight, ISO 27001, or industry-specific standards.

The operational argument is equally straightforward. Bugs in replication, Always On, and backup/restore aren't abstract concerns. These are the features that keep your data consistent, your systems available, and your recovery objectives achievable. A defect in any of these areas can turn a routine failover into a multi-hour incident.

How to Apply SQL Server 2016 SP2 CU5 or SP1 CU13

Applying a cumulative update to SQL Server 2016 follows a consistent process. The steps below apply to both CU5 (SP2) and CU13 (SP1).

  1. Download the update from the Microsoft Update Catalog or directly from the KB article links provided at the end of this article. Verify the file hash before proceeding.
  2. Review the KB article for the specific update. Read through the list of fixes and check whether any apply to issues you've already observed in your environment. This also helps set expectations with stakeholders.
  3. Test in a non-production environment first. This is non-negotiable. Apply the CU to a development or UAT instance that mirrors your production configuration as closely as possible. Run your standard regression tests and monitor for unexpected behaviour.
  4. Check for known issues in the KB article. Microsoft documents any known post-installation issues in the same article. Read this section before you deploy to production.
  5. Schedule a maintenance window for production deployment. SQL Server cumulative updates require a service restart. Plan accordingly and notify affected application teams.
  6. Apply the update by running the installer on each SQL Server instance. For clustered instances or availability groups, follow Microsoft's guidance on rolling upgrades to minimise downtime.
  7. Verify the build number after installation. Run SELECT @@VERSION to confirm the instance is reporting the expected build. For SP2 CU5, the build number is 13.0.5264.1. For SP1 CU13, it is 13.0.4574.0.
  8. Monitor post-update for at least 24 to 48 hours. Watch for changes in query plan behaviour, resource utilisation, and any new errors in the SQL Server error log.
-- Verify your current SQL Server 2016 build after applying the update
SELECT
    @@SERVERNAME AS ServerName,
    @@VERSION AS FullVersion,
    SERVERPROPERTY('ProductVersion') AS ProductVersion,
    SERVERPROPERTY('ProductLevel') AS ProductLevel,
    SERVERPROPERTY('Edition') AS Edition;

Running this query immediately after the update confirms the build number and gives you a clean record for your change management documentation.

Should You Apply These Updates Now?

If you're running SQL Server 2016 SP2 on any CU prior to CU5, yes. Apply CU5. The security fixes alone justify the effort, and the replication and Always On fixes are relevant to a large proportion of production SQL Server environments.

If you're still on SP1, the calculus is slightly different. CU13 is a worthwhile update, but you should also be actively planning your migration to SP2. Running SP1 means you're missing a substantial body of fixes that were delivered through the SP2 release and subsequent SP2 cumulative updates. The migration from SP1 to SP2 is typically straightforward, but it does require testing and a maintenance window.

SQL Server 2016 mainstream support ended in July 2021, with extended support running through July 2026. That means security fixes are still being delivered, but the window for staying on SQL Server 2016 with vendor support is finite. If you haven't already started planning your upgrade path to SQL Server 2019 or 2022, now is the time.

Key Takeaways

  • SQL Server 2016 SP2 CU5 delivers over 50 bug fixes covering replication, Always On availability groups, backup and restore, and security. It should be applied to all SP2 instances running an earlier CU.
  • SQL Server 2016 SP1 CU13 contains over 20 fixes targeting query optimiser behaviour, high availability, and .NET Framework compatibility. It's a worthwhile update, but migrating to SP2 should also be on your roadmap.
  • Cumulative updates are not optional maintenance. They are the primary mechanism for bug and security fix delivery in SQL Server between service packs.
  • Always test cumulative updates in a non-production environment before deploying to production, and verify your build number with SELECT @@VERSION after installation.
  • SQL Server 2016 extended support ends July 2026. If you haven't started planning your upgrade path, that timeline is closer than it looks.

Official Microsoft KB Articles:

Keeping SQL Server current is one part of a broader maintenance picture. DBA Services provides SQL Server health checks and managed support for Australian organisations running SQL Server 2016 and later versions. If you'd like an independent assessment of your patch currency, configuration, and upgrade readiness, get in touch with our team.