Microsoft released SQL Server 2022 Cumulative Update 1 (CU1) on 16 February 2023, just one day after releasing a General Distribution Release (GDR). The two updates together address critical issues spanning backup integrity, memory management, security vulnerabilities, and high availability. If you're running SQL Server 2022 in production, both updates are worth your immediate attention.
Two updates in two days is unusual, and it signals that Microsoft identified fixes significant enough to warrant separate release tracks. The GDR covers security-only fixes suitable for environments that take a conservative patching approach. CU1 goes further, bundling security fixes alongside functional improvements and bug fixes. Understanding what's in each release helps you make an informed decision about which to apply and when.
What Does SQL Server 2022 CU1 Fix?
CU1 contains 10 notable fixes and improvements. Some are straightforward quality-of-life changes. Others address bugs that could cause data corruption or system unavailability. Here's a clear breakdown.
1. Differential Backup Corruption Risk
This is the most operationally significant fix in CU1. A bug existed where differential backups could skip new Page Free Space (PFS) pages after a data file grows around a PFS boundary. The consequence wasn't just a bad backup - restoring that differential backup could cause database corruption and trigger a crash dump.
If your databases undergo regular growth events and you rely on differential backups as part of your recovery strategy, this bug was a genuine risk. The fix is included in CU1 and should be treated as a priority for any environment using differential backups on SQL Server 2022.
2. Hybrid Buffer Pool Direct Write Enabled by Default
Hybrid Buffer Pool is a SQL Server feature that allows buffer pool pages to reference data directly from persistent memory (PMEM) devices rather than copying data into DRAM. The "direct write" capability extends this by allowing writes to go directly to PMEM without staging through the DRAM buffer pool first.
Before CU1, enabling direct write required explicitly setting trace flag 809. That's a manual step that many environments would miss, particularly if they weren't closely following SQL Server 2022 feature documentation. CU1 removes that requirement. Direct write is now enabled by default when PMEM hardware is present. If you're running SQL Server 2022 on PMEM-equipped servers, you'll get this performance benefit automatically after applying the update.
3. sp_invoke_external_rest_endpoint Scoped to Azure SQL Database
The sp_invoke_external_rest_endpoint stored procedure, which allows SQL code to call REST endpoints directly, is now formally scoped to Azure SQL Database only. This clarifies the feature boundary and prevents confusion about its availability in on-premises or SQL Server on Azure VM deployments. If you've been exploring this feature for on-premises workloads, this is a clear signal that it's not the intended use case.
4. Read Query Failures on Readable Secondary Replicas
In Always On Availability Group environments, read queries directed to a readable secondary replica could be aborted or return unexpected results. The root cause was related to heap tables and forwarding records - a fairly specific scenario, but one that could affect reporting workloads or read-scale configurations that rely on secondary replicas for query offloading. CU1 addresses this behaviour.
5. Access Violation with Temporary Tables in UDFs Using Synonyms
An access violation could occur when temporary tables were invoked inside User-Defined Functions (UDFs) through synonyms. This would manifest as an unexpected SQL Server error rather than a clean query failure. The fix applies to both SQL Server 2022 CU1 and SQL Server 2019 CU19, so if you're running 2019 and hit this pattern in your code, the 2019 CU also addresses it.
6. Security Fix: CREATE STATISTICS and UPDATE STATISTICS Vulnerability
An authenticated attacker could affect SQL Server memory by executing a specially crafted CREATE STATISTICS or UPDATE STATISTICS statement. Microsoft rates this as an important vulnerability. The word "authenticated" is worth noting - this isn't an unauthenticated remote exploit, but it does mean any SQL Server login with sufficient permissions could potentially trigger the issue. Patching this is straightforward. Leaving it unpatched is not justifiable.
7. Memory Leak in Transactional Replication Log Reader Agent
A gradual memory leak was identified in the SQL Server process, caused by the Log Reader Agent used in transactional replication. The leak accumulated under the MEMORYCLERK_SOSNODE memory clerk. In practice, this meant replication-heavy environments would see SQL Server memory consumption creep upward over time, potentially requiring service restarts to recover. This is exactly the kind of subtle issue that can erode server stability over weeks rather than appearing as an immediate failure.
8. Memory Capacity Safeguard for Nested Table Scan Queries
CU1 adds a safeguard for a specific class of queries - nested queries performing table scans - that could cause memory capacity issues severe enough to make the SQL Server instance unavailable. This is described as a rare scenario, but "rare and catastrophic" is a worse outcome than "never." The fix adds protective logic to prevent these queries from exhausting memory.
9. Extensible Key Management and Database Accessibility
High-volume workloads using Extensible Key Management (EKM) for encryption and key generation were experiencing database accessibility issues under load. EKM is commonly used in environments integrating SQL Server with external key management solutions such as Azure Key Vault or third-party hardware security modules. If your environment uses EKM, this fix is directly relevant.
10. CEIP Telemetry Categories Added
CU1 adds query categories to the Microsoft Customer Experience Improvement Program (CEIP) telemetry collected from SQL Server 2022. This is a Microsoft-side improvement for product analytics rather than a functional change for most environments. It's worth being aware of if your organisation has specific data governance policies around telemetry.
Should You Apply the GDR or CU1?
This is a question that comes up every time Microsoft releases both a GDR and a CU in close succession. The answer depends on your patching policy.
The GDR (General Distribution Release) contains security fixes only. It's the appropriate choice for organisations that follow a conservative patching model, where functional changes are tightly controlled and only security patches are applied between major maintenance windows.
CU1 includes everything in the GDR plus functional fixes and improvements. For most production environments, applying CU1 is the better choice because it addresses the differential backup corruption risk and the memory leak in replication, both of which are operational concerns rather than just security concerns.
Microsoft's general guidance is to apply the latest cumulative update. That guidance is sound for SQL Server 2022, particularly given the backup integrity fix in CU1.
One practical note: you cannot apply both the GDR and CU1. They're separate release tracks. If you've already applied the GDR, you can still move to CU1 - it supersedes the GDR.
What's the Best Patching Approach for SQL Server 2022?
Apply updates in a non-production environment first. Validate your critical workloads, check for any compatibility issues, and confirm your backup and restore procedures work correctly post-update. Then promote to production during a scheduled maintenance window.
For SQL Server 2022 specifically, the differential backup fix in CU1 makes this update a priority. Don't wait for the next quarterly patching cycle if your environment uses differential backups.
The full list of fixes in CU1 is documented in Microsoft's official release notes at learn.microsoft.com. Review the complete list before applying to production, particularly if you run any of the affected configurations: transactional replication, Always On Availability Groups with readable secondaries, EKM encryption, or PMEM hardware.
Key Takeaways
- SQL Server 2022 CU1 addresses a differential backup bug that could cause database corruption on restore - this alone makes it a priority update for most production environments.
- The hybrid buffer pool direct write feature is now enabled by default on PMEM hardware, removing the need for trace flag 809.
- A memory leak in the transactional replication Log Reader Agent is fixed, improving long-term stability for replication-heavy environments.
- A security vulnerability in
CREATE STATISTICSandUPDATE STATISTICSis patched - authenticated attackers could exploit this without the fix. - CU1 supersedes the GDR released the previous day. Apply CU1 rather than the GDR unless your patching policy specifically requires security-only updates.
Keeping SQL Server patched is one part of maintaining a healthy environment. It's equally important to validate that your backup strategy, high availability configuration, and performance baselines are working as expected after any update. DBA Services provides SQL Server health checks and managed support for organisations that want confidence their SQL Server environments are properly maintained, patched, and performing optimally. Get in touch if you'd like an independent assessment.
Need help with your SQL Servers?
Find out what's really going on inside your SQL Server environment.
Our health checks uncover critical misconfigurations in 97% of reviews.