SQL Server Cumulative Updates Are Not Delivered via Windows Update
SQL Server is not patched by Windows Update — cumulative updates must be downloaded and applied manually, making it one of the most commonly under-patched enterprise components.
An attacker who exploits an unpatched SQL Server vulnerability can achieve privilege escalation to sysadmin, remote code execution via the SQL Server service account, or data exfiltration depending on the specific CVE. The risk compounds with each missed CU — a server that has never had CUs applied may be missing years of security fixes.
Microsoft SQL Server receives security fixes through Cumulative Updates (CUs), not through Windows Update or WSUS. Administrators who rely solely on Windows Update to keep their servers patched are unknowingly leaving SQL Server unpatched indefinitely. SQL Server CUs must be downloaded from the Microsoft Update Catalog and applied manually during a maintenance window.
Probably yes if any of these apply:
Affected OS versions
During a routine vulnerability scan, a client discovers their SQL Server 2019 instance is running build 15.0.2000.5 — the original RTM release from 2019. Every CU released in five years has been missed because the team assumed Windows Update handled SQL Server. The instance is missing over 30 security fixes including multiple privilege escalation and RCE vulnerabilities.
Manual remediation steps
⏱ 30–90 minutesStep 1 — Check SQL Server Version and Patch Level
sqlcmd -Q "SELECT @@VERSION, SERVERPROPERTY('ProductUpdateLevel')" -S localhost 2>$null
Step 2 — Current CU Targets
SQL Server 2022: CU12 (16.0.4115.5) or later
SQL Server 2019: CU27 (15.0.4375.4) or later
SQL Server 2016: SP3 CU17 or later
Step 3 — Download and Apply CU
Verification
sqlcmd -Q "SELECT @@VERSION" -S localhost
# Must show the CU version you installed
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.