Microsoft has delivered a sweeping set of security updates across every supported SQL Server release, fixing a vulnerability that allows an authenticated attacker with low privileges to seize complete control of the database engine over a network. The fix lands on July 14, 2026, and if you manage production databases, you need to act now — but the update you choose is just as critical as installing one.

The Vulnerability: What Changed

CVE-2026-47295 is a classic SQL injection flaw inside SQL Server’s own internals. An attacker who can authenticate — even with limited rights — can craft a malicious query that trick the system into granting far more permissions than intended. Once elevated, the attacker can read any data, modify tables, or even crash the service. Microsoft rates the bug Important with a CVSS 3.1 base score of 8.8, reflecting high impact to confidentiality, integrity, and availability, yet requiring only low privileges and no user interaction.

Unlike typical Windows patches that arrive as a single cumulative update, this fix is split across ten distinct packages. That’s because Microsoft maintains two servicing branches for each major SQL Server version: the General Distribution Release (GDR) path, which ships only security and extremely critical fixes, and the Cumulative Update (CU) path, which bundles everything — security, reliability, and feature changes. The July release includes separate GDR and CU updates for SQL Server 2016 SP3, 2017, 2019, 2022, and 2025, plus a special package for the 2016 Azure Connect Feature Pack. No separate driver fixes are needed; everything is wrapped inside the server updates.

What It Means for You

Most home users won’t touch this. SQL Server is a business database, and if you have it running, you’re likely an administrator or developer. For you, the patch is mandatory. An unpatched SQL Server that accepts network connections is an open door to data theft or ransomware payloads. But the real headache isn’t urgency — it’s the branch selection.

If you blindly download the first “security update” link you see, you might install the wrong servicing track. Put a CU-based patch on a server that has only ever received GDR updates, and you’ll permanently shift it onto the CU path, pulling in months of non-security changes that may throw your applications into chaos. Install a GDR patch on a CU-tracking server, and you’ll leave behind security gaps that the GDR wasn’t built to close. The upgrade path you choose today binds you for the life of that server.

Cloud-hosted SQL Servers, including those on Azure Virtual Machines, are just as vulnerable. Microsoft Update can deliver the patches to these instances, but you still must verify the build afterward and schedule maintenance around your workload. Linux-based SQL Server deployments are covered too, using your distribution’s package manager against the configured CU repositories.

How We Got Here

Microsoft introduced the dual servicing model years ago to let organizations choose between stability and rapid feature uptake. GDR updates stick to a baseline (like the RTM release or a service pack) and receive only security and critical fixes. CU updates accumulate everything — functional improvements, performance tweaks, and security — in a single rollout. It’s a one-way door from GDR to CU: you can switch once, but you can never go back.

This patch arrives just a month after SQL Server 2025’s CU6 and SQL Server 2022’s CU25, meaning the GDR packages for those versions address a much older codebase. If you’re on those CUs, you need the CU+GDR security release; if you’re on the RTM baseline, you need the RTM+GDR package. The ten updates cover build ranges precisely, so you must know your exact build number — not just “SQL Server 2022” — to land on the right one.

Complicating matters, the same July patches also fix three other vulnerabilities (CVE-2026-47296, CVE-2026-54118, CVE-2026-55002) in the CU branches, making the update even more compelling for CU adopters.

What to Do Now

Start with a complete inventory. Every SQL Server instance — named, clustered, embedded, development — needs to report its build number. Run this query on each Database Engine instance:

SELECT
    SERVERPROPERTY('ServerName') AS ServerName,
    SERVERPROPERTY('Edition') AS Edition,
    SERVERPROPERTY('ProductVersion') AS ProductVersion,
    SERVERPROPERTY('ProductLevel') AS ProductLevel,
    SERVERPROPERTY('ProductUpdateLevel') AS ProductUpdateLevel,
    SERVERPROPERTY('ProductUpdateReference') AS ProductUpdateReference;

Alternatively, check @@VERSION, the SQL Server error log, or SQL Server Management Studio’s instance properties. The key is the four-part ProductVersion — for example, 16.0.4255.1 rather than a text description.

Next, match that version to the July 2026 patched build. The table below maps each current build range to the update you should install.

Current SQL Server branch Install this KB Patched build
SQL Server 2025 CU branch, builds 17.0.4006.2–17.0.4055.5 KB5101346 17.0.4060.2
SQL Server 2025 RTM/GDR branch, builds 17.0.1000.7–17.0.1115.1 KB5102333 17.0.1125.2
SQL Server 2022 CU branch, builds 16.0.4003.1–16.0.4255.1 KB5101347 16.0.4262.2
SQL Server 2022 RTM/GDR branch, builds 16.0.1000.6–16.0.1180.1 KB5102334 16.0.1190.2
SQL Server 2019 CU branch, builds 15.0.4003.23–15.0.4470.1 KB5102335 15.0.4480.2
SQL Server 2019 RTM/GDR branch, builds 15.0.2000.5–15.0.2170.1 KB5102336 15.0.2180.2
SQL Server 2017 CU branch, builds 14.0.3006.16–14.0.3530.2 KB5102337 14.0.3540.1
SQL Server 2017 RTM/GDR branch, builds 14.0.1000.169–14.0.2110.2 KB5102338 14.0.2120.1
SQL Server 2016 Azure Connect Feature Pack, builds 13.0.7000.253–13.0.7085.1 KB5102339 13.0.7095.1
SQL Server 2016 SP3/GDR, builds 13.0.6300.2–13.0.6490.1 KB5102340 13.0.6500.1

If your built doesn’t appear in this list, your instance may be running an unsupported version. In that case, first upgrade to a supported SQL Server release or baseline before you can apply these security fixes.

Stay on your existing branch — with one exception

  • If the instance has only ever received RTM or GDR updates, install the RTM/GDR package.
  • If the instance has installed any CU, install the corresponding CU+GDR package.
  • If you’re still at a baseline and have never patched, you can choose either path now, but that choice should align with your organization’s established policy.

Remember: moving from GDR to CU is permanent. Once a CU is applied, you cannot revert to the GDR-only track. Test the CU package in a pre-production environment before making that switch for any GDR-tuned server.

High-availability and linked-server considerations

For Availability Groups or failover clusters, patch secondary replicas first, perform a failover, test, and then patch the former primary. Always have current backups and a tested restore procedure.

Microsoft warns of a known issue with the CU releases for SQL Server 2025 (CU6) and SQL Server 2022 (CU25): linked-server queries that use the MSDASQL OLE DB provider with a provider string may fail with error 7416 (access denied — no login mapping). Test these scenarios in staging. Workarounds involve fixing login mappings or rewriting the distributed query, but do not skip the patch because of this; the vulnerability is far more dangerous.

Once the patch is installed, rerun the version query and confirm every instance reports the exact patched build from the table above. Review setup logs, bring replicas back in sync, check SQL Agent jobs, and verify application connectivity.

Outlook

Microsoft’s SQL Server team is accelerating its patch cadence as database-layer attacks become more sophisticated. This update bundles multiple fixes for CU branches, suggesting that future RTM/GDR releases may also accumulate critical corrections. If your organization leans on GDR stability, you’ll still get security checks, but test cycles will remain simpler. CU adopters face more frequent updates with larger payloads — but also faster access to new features. Either way, knowing your build number and branch is now a baseline survival skill for every SQL Server admin.