SQL Server 2025 Updates & Release Notes

This article describes Cumulative Update (CU5) for Microsoft SQL Server 2025. This update package contains six fixes that were issued after the release of SQL Server 2025 Cumulative Update 4. It updates components in the following builds:

• SQL Server - Product version: 17.0.4045.5, file version: 2025.170.4045.5
• Analysis Services - Product version: 17.0.25.223, file version: 2025.170.25.223

Important

To help secure SQL Server on Windows, enable encryption with Extended Protection.

Known issues in this update

Incorrect behavior of SESSION_CONTEXT in parallel plans

Queries that use the built-in SESSION_CONTEXT function might return incorrect results or trigger access violation (AV) dump files when run in parallel query plans. This issue occurs because of the manner in which SESSION_CONTEXT interacts with parallel execution threads, particularly if the session is reset for reuse.

For more information, see the Known issues section in SESSION_CONTEXT.

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists for SQL Server 2025, SQL Server 2022, SQL Server 2019, and SQL Server 2017. Download this Excel file now.

Note

Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

For more information about the bugs that are fixed and enhancements that are included in this cumulative update, see the following table.

• Bug reference 5090650: Fixes an issue in which an EntryPointNotFoundException for GetNumaNodeProcessorMask2 occurs during SQL Server setup on older Windows OS versions.
• Bug reference 5131003: Fixes an XML External Entity (XXE) vulnerability in the Web Service Task by blocking the file:// protocol in WSDL service endpoints to prevent unauthorized file access and denial-of-service attacks.
• Bug reference 5157138: Fixes CPU starvation issues by adding yields at regular intervals during in-memory OLTP garbage collection scan of hash indexes.
• Bug reference 5190195: Allows the FulltextIndexVersion2 feature to be enabled by setting the database-scoped configuration fulltext_index_version to 2. Also fixes an issue in which full-text indexing of .docx files produces incorrect results when paragraphs begin in hyperlinks without trailing whitespace in the preceding paragraph.
• Bug reference 5191365: Fixes a vulnerability that allows SQL injection through the sp_help_spatial_geography_index and sp_help_spatial_geometry_index stored procedures.
• Bug reference 5198210: Adds support for configuring change feed parameters by using mssql.conf.

Original source

Applies To

SQL Server 2025 on Windows (all editions), SQL Server 2025 on Linux (all editions)

Summary

This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2026-40370 - SQL Server Remote Code Execution Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version: 17.0.4040.1, file version: 2025.170.4040.1

Improvements and fixes included in this update

A downloadable Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists.

Download this Excel file now.

Note: Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

Bug reference | Description | Fix area | Component | Platform
5178546 | This fix addresses an XML external entity (XXE) vulnerability in the Web Service Task that allows an attacker to read arbitrary files from the local file system or cause a denial-of-service (DoS) attack. | Integration Services | Integration Services | Windows

How to obtain and install the update

Method 1: Windows Update

Method 2: Microsoft Update Catalog

Method 3: Microsoft Download Center

How to obtain or download the latest cumulative update package for Linux

To update SQL Server 2025 on Linux to the latest CU, you must first have the Cumulative Update repository configured. Then, update your SQL Server packages by using the appropriate platform-specific update command.

For installation instructions and direct links to the CU package downloads, see the SQL Server 2025 Release Notes.

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x64-based versions - Download the list of files that are included in security update 5089899.

Information about protection and security

Protect yourself online: Windows Security support

Learn how we guard against cyber threats: Microsoft Security

Original source

Applies To

SQL Server 2025 on Windows (all editions), SQL Server 2025 on Linux (all editions)

Summary

This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2026-40370 - SQL Server Remote Code Execution Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version: 17.0.1115.1, file version: 2025.170.1115.1

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists.

Download this Excel file now.

Note: Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

Bug reference | Description | Fix area | Component | Platform
5131006 | This fix addresses an XML external entity (XXE) vulnerability in the Web Service Task that allows an attacker to read arbitrary files from the local file system or cause a denial-of-service (DoS) attack. | Integration Services | Integration Services | Windows

How to obtain and install the update

Method 1: Windows Update

Method 2: Microsoft Update Catalog

Method 3: Microsoft Download Center

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x64-based versions - Download the list of files that are included in security update 5091223.

Information about protection and security

Protect yourself online: Windows Security support

Learn how we guard against cyber threats: Microsoft Security

Original source

This article describes Cumulative Update (CU4) for Microsoft SQL Server 2025. This update package contains 11 fixes that were issued after the release of SQL Server 2025 Cumulative Update 3. It updates components in the following builds:

• SQL Server - Product version: 17.0.4035.5, file version: 2025.170.4035.5
• Analysis Services - Product version: 17.0.25.223, file version: 2025.170.25.223

Known issues in this update

Incorrect behavior of SESSION_CONTEXT in parallel plans

Queries that use the built-in SESSION_CONTEXT function might return incorrect results or trigger access violation (AV) dump files when run in parallel query plans. This issue occurs because of the manner in which SESSION_CONTEXT interacts with parallel execution threads, particularly if the session is reset for reuse.

For more information, see the Known issues section in SESSION_CONTEXT.

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists for SQL Server 2025, SQL Server 2022, SQL Server 2019, and SQL Server 2017.

Note

Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

For more information about the bugs that are fixed and enhancements that are included in this cumulative update, see the following table.

4954486 Fixes an issue in contained availability groups that causes DatabaseMail to sends email messages without attachments when using sp_RunMailQuery. SQL Server Client Tools / Database Mail / All

5000227 Fixes an issue in which permissions on stored procedures and other objects in msdb are lost during the SQL Server upgrade process. This issue causes unexpected permission removal for users. SQL Server Engine / Management Services / Windows

5001765 Fixes an issue in which the server could enter an unintended wait state on an internal thread that does not support suspension. This issue potentially causes the program to stop responding. The lock is now acquired by using a spin-wait on such threads instead of blocking. SQL Server on Linux / SQLPAL / Linux

5003709 Fixes an issue in which DTSWizard.exe doesn't open if SQL Server is installed without the SQL Server Integration Services (SSIS) features. Integration Services / Integration Services / Windows

5008479 Fixes an issue in which indexing certain Microsoft Word 6.0 documents by including Full-Text Search causes the filter daemon host process (fdhost.exe) to stop responding. SQL Server Engine / Search / All

5019346 Fixes a memory corruption issue in the audit functionality for contained availability groups. SQL Server Engine / High Availability and Disaster Recovery / All

5028791 Fixes an access violation error that occurs when you query sys.dm_xe_session_targets for instances that run on Windows Server 2025. SQL Server Engine / SQL OS / Windows

5029490 Limits the comparison mode for Json_contains to a value of either 0 (exact match) or 1 (pattern match). The default value is 0. SQL Server Engine / JSON / All

5033606 For contained availability groups (CAG), restricts adding databases to only the currently connected CAG. For DBCreator, restricts adding databases to only the current CAG, and requires the database owner to match the logged-in user. SQL Server Engine / High Availability and Disaster Recovery / All

5063278 Fixes non-yielding scheduler errors and dump files that might occur during a high amount of lazy writer I/O. SQL Server Engine / Replication / All

5071334 Fixes an issue in which inflectional Full-Text Search queries fail for version 2 languages that do not implement an IStemmer. This issue generates error messages that include predicates such as FREETEXT, FREETEXTTABLE, and FORMSOF(INFLECTIONAL, ...). SQL Server Engine / Search / All

Original source

Summary

This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

CVE-2026-32167 - SQL Server Elevation of Privilege Vulnerability

CVE-2026-32176 - SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

SQL Server - product version: 17.0.1110.1, file version: 2025.170.1110.1

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists.

Note:

Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

Bug reference

Description

Fix area

Component

Platform

5029979

This fix addresses an elevation of privilege vulnerability in SQL Server linked servers that allows a low-privileged SQL Server user to gain sysadmin permission.

SQL Server Engine

PolyBase

Linux, Windows

4999182

This fix resolves an issue in SQL Server in which improper neutralization of special elements in SQL commands (SQL injection) allows an authorized attacker to elevate privileges over a network.

SQL Server Engine

SQL Agent

Windows

How to obtain and install the update

Method 1: Windows Update

Method 2: Microsoft Update Catalog

Method 3: Microsoft Download Center

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x64-based versions -

Download the list of files that are included in security update 5084814.

Information about protection and security

Protect yourself online:

Windows Security support

Learn how we guard against cyber threats:

Microsoft Security

Original source

Summary

This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2026-32167 - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-32176 - SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version: 17.0.4030.1, file version: 2025.170.4030.1

Improvements and fixes included in this update

A downloadable Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists.

Note:

Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

Bug reference Description Fix area Component Platform

• 5063803 This fix addresses an elevation of privilege vulnerability in SQL Server linked servers that allows a low-privileged SQL Server user to gain sysadmin permissions. SQL Server Engine PolyBase Linux, Windows
• 5052472 This fix resolves an issue in SQL Server in which improper neutralization of special elements in SQL commands (SQL injection) allows an authorized attacker to elevate privileges over a network. SQL Server Engine SQL Agent Windows

How to obtain and install the update

Method 1: Windows Update

Method 2: Microsoft Update Catalog

Method 3: Microsoft Download Center

How to obtain or download the latest cumulative update package for Linux

To update SQL Server 2025 on Linux to the latest CU, you must first have the Cumulative Update repository configured. Then, update your SQL Server packages by using the appropriate platform-specific update command.

For installation instructions and direct links to the CU package downloads, see the SQL Server 2025 Release Notes.

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x64-based versions -

Download the list of files that are included in security update 5083245.

Information about protection and security

Protect yourself online: Windows Security support

Learn how we guard against cyber threats: Microsoft Security

Original source

KB5077896 - Cumulative Update 3 for SQL Server 2025

Applies to: SQL Server 2025 on Windows, SQL Server 2025 on Linux

Release Date: March 12, 2026
Version: 17.0.4025.3

Summary

This article describes Cumulative Update (CU3) for Microsoft SQL Server 2025. This update package contains 15
fixes
that were issued after the release of SQL Server 2025 Cumulative Update 2. It updates components in the following builds:

• SQL Server - Product version: 17.0.4025.3, file version: 2025.170.4025.3
• Analysis Services - Product version: 17.0.25.223, file version: 2025.170.25.223

Known issues in this update

Incorrect behavior of SESSION_CONTEXT in parallel plans
Queries that use the built-in
SESSION_CONTEXT
function might return incorrect results or trigger access violation (AV) dump files when run in parallel query plans. This issue occurs because of the manner in which
SESSION_CONTEXT
interacts with parallel execution threads, particularly if the session is reset for reuse.

For more information, see the
Known issues
section in
SESSION_CONTEXT
.

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists for SQL Server 2025, SQL Server 2022, SQL Server 2019, and SQL Server 2017.
Download this Excel file now.

Note
Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

For more information about the bugs that are fixed and enhancements that are included in this cumulative update, see the following table.

Improvements and fixes included in this update

| Bug reference | Description | Fix Area | Component | Platform |
| 4836787 | Fixes a performance scalability issue to reduce false sharing and cache line invalidation on large core-count server configurations. | SQL Server Engine | Column Stores | All |
| 4836829 | Improves performance scalability on large core-count server configurations. | SQL Server Engine | Column Stores | All |
| 4836855 | Improves performance scalability on large core-count server configurations by aligning the I/O completion structure to a 64-byte cache line size. | SQL Server Engine | Backup Restore | All |
| 4845346 | Fixes an issue in which using VECTOR functions causes SqlLocalDB to fail. Fixes an issue in which using
VECTOR
functions causes SqlLocalDB to fail. | SQL Server Engine | SqlLocalDB | Windows |
| 4852207 | Fixes an assertion error and a dump file that might occur if optimized locking and change tracking are both enabled on a database. | SQL Server Engine | Storage Engine | All |
| 4953808 | Fixes an issue in which the configure-only replica of a Contained Availability Group can't be connected after a restart because of a startup failure without the system database. | SQL Server Engine | High Availability and Disaster Recovery | All |
| 4954946 | Fixes an issue where using REGEX functions causes SqlLocalDB to crash. Fixes an issue where using
REGEX
functions causes SqlLocalDB to crash. | SQL Server Engine | SqlLocalDB | Windows |
| 4955141 | Fixes an issue that occurs when using a local monitor server for Log Shipping and Contained Availability Group after failover. | SQL Server Engine | High Availability and Disaster Recovery | All |
| 4955489 | Fixes a typo in sys.dm_os_linux_disk_stats by correcting ios_in_progess to ios_in_progress. Fixes a typo in
sys.dm_os_linux_disk_stats
by correcting
ios_in_progess
to
ios_in_progress
. | SQL Connectivity | Linux | Linux |
| 4986175 | Adds support for the Bulkadmin role and ADMINISTER BULK OPERATIONS permissions, allowing secure bulk data import without requiring sysadmin access (Public Preview). Adds support for the
Bulkadmin
role and
ADMINISTER BULK OPERATIONS
permissions, allowing secure bulk data import without requiring sysadmin access (Public Preview). | SQL Server Engine | Security Infrastructure | Linux |
| 5002842 | Fixes a crash that occurs if a caller requests context that contains only control registers. | SQLPAL | SQLPAL | Linux |
| 5004820 | Adds a configurable full-text search batch timeout by using sp_fulltext_service 'batch_timeout'. Specify a value between 1 minute and 1 hour, in milliseconds. By default, batches time out after 10 minutes if there are no progress updates. Adds a configurable full-text search batch timeout by using
sp_fulltext_service 'batch_timeout'
. Specify a value between 1 minute and 1 hour, in milliseconds. By default, batches time out after 10 minutes if there are no progress updates. | SQL Server Engine | Search | All |
| 5004893 | Fixes an issue in which changing the SQL Server edition on Linux causes the system to use incorrect log file locations for model and msdb databases. | SQL Server Engine | Linux | Linux |
| 5004967 | Adds support for symbolic links in the getattribute API. Adds support for symbolic links in the
getattribute
API. | SQL Server Engine | Linux | Linux |
| 5013499 | Adds a configuration option to add Bulkadmin operations to the allowlist. Adds a configuration option to add
Bulkadmin
operations to the allowlist. | SQL Server Engine | Linux | Linux |

How to obtain or download this CU or the latest CU package

How to obtain or download the latest cumulative update package for Windows (recommended)

How to obtain or download this cumulative update package for Windows from Microsoft Update Catalog

How to obtain or download the latest cumulative update package for Linux

File information

File hash information

Cumulative Update package file information

Notes for this update

Prerequisites

Restart information

Registry information

Important notices

Hybrid environment deployment

Language support

Components (features) updated

Support for this update

How to uninstall this update

How to uninstall this update on Windows

How to uninstall this update on Linux

References

• Announcing updates to the SQL Server Incremental Servicing Model (ISM)
• SQL Server Service Packs are no longer supported starting from SQL Server 2017
• Determine which version and edition of SQL Server Database Engine is running
• Servicing models for SQL Server
• Naming schema and Fix area descriptions for SQL Server software update packages
• Description of the standard terminology that is used to describe Microsoft software updates

Last updated on 03/12/2026

Original source

Applies To

SQL Server 2025 on Windows (all editions), SQL Server 2025 on Linux (all editions)

Summary

Summary
This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2026-21262 - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-26115 - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-26116 - SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version: 17.0.1105.2, file version: 2025.170.1105.2

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists. Download this Excel file now.

Note: Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

Bug reference Description Fix area Component Platform 4991364 Fixes a potential SQL injection vulnerability by removing an internal system stored procedure. SQL Server Engine Internal System Metadata Windows 4973079 Fixes an elevation of privilege vulnerability in the version upgrade process for merge replication. SQL Server Engine Replication Windows 4911781 This hotfix blocks the ALTER USER operation if the target login is the system Administrator account. SQL Server Engine Security Infrastructure Linux, Windows

How to obtain and install the update

• Method 1: Windows Update
• Method 2: Microsoft Update Catalog
• Method 3: Microsoft Download Center

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x64-based versions - Download the list of files that are included in security update ​​​​​​​5077468.

Information about protection and security

• Protect yourself online: Windows Security support
• Learn how we guard against cyber threats: Microsoft Security

Original source

Applies To

• SQL Server 2025 on Windows (all editions)
• SQL Server 2025 on Linux (all editions)

Summary

This security update contains fixes and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories:

• CVE-2026-21262 - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-26115 - SQL Server Elevation of Privilege Vulnerability
• CVE-2026-26116 - SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

• SQL Server - product version:
  17.0.4020.2, file version: 2025.170.4020.2

Improvements and fixes included in this update

A downloadable Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists.
Download this Excel file now.

Note:
Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

Bug reference Description Fix area Component Platform 4991631 Fixes a potential SQL injection vulnerability by removing an internal system stored procedure. SQL Server Engine Internal System Metadata Windows 4973077 Fixes an elevation of privilege vulnerability in the version upgrade process for merge replication. SQL Server Engine Replication Windows 4992231 This hotfix blocks the ALTER USER operation if the target login is the system Administrator account. SQL Server Engine Security Infrastructure Linux, Windows

How to obtain and install the update

• Method 1: Windows Update
• Method 2: Microsoft Update Catalog
• Method 3: Microsoft Download Center

How to obtain or download the latest cumulative update package for Linux

To update SQL Server 2025 on Linux to the latest CU, you must first have the
Cumulative Update repository configured. Then, update your SQL Server packages by using the appropriate platform-specific update command.

For installation instructions and direct links to the CU package downloads, see the
SQL Server 2025 Release Notes.

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x64-based versions -
Download the list of files that are included in security update ​​​​​​​5077466.

Information about protection and security

Protect yourself online:
Windows Security support

Learn how we guard against cyber threats:
Microsoft Security

Original source

Known issues in this update

Incorrect behavior of SESSION_CONTEXT in parallel plans
Queries that use the built-in SESSION_CONTEXT function might return incorrect results or trigger access violation (AV) dump files when run in parallel query plans. This issue occurs because of the manner in which SESSION_CONTEXT interacts with parallel execution threads, particularly if the session is reset for reuse.
For more information, see the Known issues section in SESSION_CONTEXT.

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists for SQL Server 2025, SQL Server 2022, SQL Server 2019, and SQL Server 2017. Download this Excel file now.

Note
Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

For more information about the bugs that are fixed and enhancements that are included in this cumulative update, see the following table.

Improvements and fixes included in this update:

• Bug reference 4838699: Fixes an issue that causes StripedVdi tests to fail if the Sqlvdi.dll file isn't registered on running instances. Fix area: SQL Server Engine, Backup Restore, Platform: Windows
• Bug reference 4860948: For cluster_type = NONE or EXTERNAL, availability group (AG) properties exist on only the local replica. This update writes the properties to the AG configuration so that all AG replicas receive the same properties. Fix area: SQL Server Engine, High Availability and Disaster Recovery, Platform: All
• Bug reference 4869015: Fixes a potential inaccuracy in resource governor accounting for the tempdb space if accelerated database recovery is enabled for tempdb. Fix area: SQL Server Engine, Resource Governor, Platform: All
• Bug reference 4924793: Fixes an issue in which an assertion and a dump file are generated around midnight on New Year’s Day during an operation that accesses Azure Blob Storage. Fix area: SQL Server Engine, Storage Management, Platform: All
• Bug reference 4925942: Fixes an issue that triggers nonyielding scheduler dump files in PmmLogAcceptBlock on the availability group (AG) secondary replica. The issue occurs if the persistent log buffer is enabled, and the database log cache contains primarily tiny log records. Fix area: SQL Server Engine, Log Management, Platform: All
• Bug reference 4931611: Fixes an issue in which the distributor is part of an availability group (AG) and uses case-sensitive (_CS) collation. The distribution agent incorrectly uses the AG primary replica name instead of AG listener name. Fix area: SQL Server Engine, Replication, Platform: All

How to obtain or download this CU or the latest CU package

File information

Notes for this update

How to uninstall this update

References

Original source

This article describes the updates to the SQL Server incremental servicing model (ISM) for SQL Server 2017 as they relate to the Service Pack (SP) policy. For more information about the changes to the SQL Server ISM, see An Incremental Servicing Model is available from the SQL Server team to deliver hotfixes for reported problems.

Note

Earlier versions of SQL Server are not affected by this SP policy change. Service Packs (SPs) will continue to be provided for the reminder of mainstream support for SQL Server 2014 and SQL Server 2016.

The Modern Servicing Model (MSM)

Starting from SQL Server 2017:

• SPs will no longer be available. Only Cumulative Updates (CUs) and critical updates (GDRs) will be provided.

• CUs will contain localized content if it's necessary as what SPs have done.

• CUs will be delivered more frequently at first and then less frequently: every month for the first 12 months, and then every quarter for the final four years of the five-year mainstream lifecycle.

Note

The MSM only applies to SQL Server 2017 and later versions.

FAQ

• Q:
  SPs were fully localized, and one update file was released for every supported language. How will this work with only CUs?

• A:
  CUs will be localized starting from SQL Server 2017, and they will handle this requirement and continue only releasing a single language-agnostic update file.

• Q:
  Microsoft provided "slipstream" packages (RTM+SPn in a single media package) at each SP at approximately yearly intervals. How will this work without SPs?

• A:
  CU based slipstream media will be provided at approximately yearly intervals. For example, when CU12 for SQL Server 2017 is released, the slipstream media that has SQL Server 2017 CU12 preinstalled is also provided.

• Q:
  Previously, when SP2 was released, for example, an instance on the RTM baseline would have to be upgraded to SP1 or SP2 to receive a hotfix. How will this work without SPs?

• A:
  Without SPs, the only baseline will be RTM, and it will receive CUs for five years. There's no minimum servicing level requirement to receive CUs any longer.

• Q:
  Is the SQL Server lifecycle policy affected because there are no SPs any longer?

• A:
  No, the servicing lifecycle has not changed from SQL Server 2016 as it relates to mainstream and extended support.

References

• KB 935897
  An Incremental Servicing Model is available from the SQL Server team to deliver hotfixes for reported problems

• KB 3177534
  How to obtain the latest SQL Server 2016 service pack

• KB 2958069
  How to obtain the latest SQL Server 2014 service pack

• KB 2755533
  How to obtain the latest SQL Server 2012 service pack

• KB 2527041
  How to obtain the latest SQL Server 2008 R2 service pack

• KB 968382
  How to obtain the latest SQL Server 2008 service pack

• Microsoft SQL Server support lifecycle

• KB 321185
  How to determine the version and edition of SQL Server and its components

• The script to determine which version and edition of SQL Server Database Engine is running.

• KB 957826
  The builds for all SQL Server versions

• KB 822499
  Naming schema and Fix area descriptions for SQL Server software update packages

• KB 824684
  Description of the standard terminology that is used to describe Microsoft software updates

Original source

Summary

Important

This update is temporarily unavailable for download because of a known issue related to Database Mail.

This article describes Cumulative Update package 1 (CU1) for Microsoft SQL Server 2025. This update contains 16 fixes that were issued after the initial release of SQL Server 2025. It updates components in the following builds:

• SQL Server - Product version: 17.0.4005.7, file version: 2025.170.4005.7
• Analysis Services - Product version: 17.0.25.223, file version: 2025.170.25.223

Known issues in this update

Database Mail stops working after updating

Database Mail stops working after you install this cumulative update. You might see the following error message:
Could not load file or assembly 'Microsoft.SqlServer.DatabaseMail.XEvents, Version=17.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91' or one of its dependencies. The system cannot find the file specified.
If you use Database Mail and already downloaded this update, don't install it until a fix is available.
If you already installed this update, uninstall it to restore Database Mail functionality.

Incorrect behavior of SESSION_CONTEXT in parallel plans

Queries that use the built-in SESSION_CONTEXT function might return incorrect results or trigger access violation (AV) dump files when run in parallel query plans. This issue occurs because of the manner in which SESSION_CONTEXT interacts with parallel execution threads, particularly if the session is reset for reuse.
For more information, see the Known issues section in SESSION_CONTEXT.

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists for SQL Server 2025, SQL Server 2022, SQL Server 2019, and SQL Server 2017. Download this Excel file now.

Note

Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

For more information about the bugs that are fixed and enhancements that are included in this cumulative update, see the following table.

[Table of Improvements and fixes included in this update with bug references and descriptions]

How to obtain or download this or the latest cumulative update package

File information

Notes for this update

How to uninstall this update

References

• Announcing updates to the SQL Server Incremental Servicing Model (ISM)
• SQL Server Service Packs are no longer supported starting from SQL Server 2017
• Determine which version and edition of SQL Server Database Engine is running
• Servicing models for SQL Server
• Naming schema and Fix area descriptions for SQL Server software update packages
• Description of the standard terminology that is used to describe Microsoft software updates

Last updated on 01/20/2026

Original source

This security update contains fixes and resolves vulnerabilities

To learn more about the vulnerabilities, see the following security advisories:

■ CVE-2026-20803 - Microsoft SQL Server Elevation of Privilege Vulnerability

The Microsoft SQL Server components are updated to the following builds in this security update:

■ SQL Server - product version: 17.0.1050.2, file version: 2025.170.1050.2

Improvements and fixes included in this update

A downloadable Microsoft Excel workbook that contains a summary list of builds, together with their current support lifecycle, is available. The Excel file also contains detailed fix lists. Download this Excel file now.

Note: Individual entries in the following table can be referenced directly through a bookmark. If you select any bug reference ID in the table, a bookmark tag is added to the URL by using the "#bkmk_NNNNNNN" format. You can then share this URL with others so that they can jump directly to the desired fix in the table.

| Bug reference | Description | Fix area | Component | Platform |
| 4836807 | Restricts privileges for the DBCC stackdump so that only the sysadmin can invoke the dump file. | SQL Server Engine | Security Infrastructure | Linux, Windows |

How to obtain and install the update

• Method 1: Windows Update

• Method 2: Microsoft Update Catalog

• Method 3: Microsoft Download Center

More information

Prerequisites

Security update deployment information

File hash information

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following worksheet. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x64-based versions - Download the list of files that are included in security update 5073177.

Information about protection and security

Protect yourself online: Windows Security support

Learn how we guard against cyber threats: Microsoft Security

Original source