On March 10, Microsoft dropped a security patch for SQL Server 2016. It fixed a publicly disclosed, actively scrutinized elevation-of-privilege vulnerability — one that lets any authenticated user escalate straight to sysadmin. Patched. Done. You're safe. For now.
Here's the part that matters most: That patch came with an expiration date. SQL Server 2016 goes end of life on July 14, 2026. That's 111 days from today.
If you're still running SQL Server 2016 in production, this post is for you.
What March 10 Just Told You
This month's Patch Tuesday included three SQL Server elevation-of-privilege vulnerabilities — CVE-2026-21262 (publicly disclosed), CVE-2026-26115, and CVE-2026-26116. SQL Server 2016 got its patch: KB5077474, build 13.0.6480.4.
CVE-2026-21262 is the one worth staring at. Any authenticated database user — not just a DBA, not just a developer — can exploit it to become sysadmin. I wrote about it last week-ish. It's the kind of CVE that belongs on a compliance report, and possibly a very uncomfortable conversation with your manager.
And if you read yesterday's post on the Larva-26002 BCP malware campaign, you already know what the full attack chain looks like once they're in.
Today, you can patch it. After July 14, that option closes. The CVEs keep arriving on schedule, but the patches for SQL Server 2016 are done.
111 Days Is Not as Long as You Think
Walk the calendar backward from July 14. Be honest about your org's real-world timeline.
| Activity | Typical Time Needed |
|---|---|
| Inventory and dependency audit | 1–2 weeks |
| Stakeholder approval and budget sign-off | 2–4 weeks |
| Non-production environment testing | 2–4 weeks |
| Application and vendor compatibility validation | 1–3 weeks |
| Change control and production scheduling | 2–4 weeks |
| Buffer for surprises (plan for them) | 2 weeks minimum |
Add that up and you're at 10–17 weeks — which is, coincidentally, almost exactly 111 days. Starting today puts you right on the edge. Starting next month puts you over it.
If you haven't read what technically breaks in a 2016-to-2025 upgrade — linked servers, replication, full-text catalogs, SSIS, connection strings — start there first. The engine upgrade is not the hard part. Discovering what silently fails afterward is.
The Double Deadline Nobody Is Talking About
Here's a small detail that somehow keeps getting buried in the industry coverage: if your SQL Server 2016 is running on Windows Server 2016 — and many are — both products reach end of life on the exact same day. July 14, 2026. Same day. No grace period for either one.
That means you're not scheduling one upgrade. You're scheduling two, on the same hardware, with the same deadline, competing for the same change window. Coordinate them together now and it's one migration project. Ignore it and it becomes two crises in the same week.
If you're not sure whether your SQL Server 2016 instances are sitting on Windows Server 2016, run this:
SELECT
@@SERVERNAME AS server_name,
@@VERSION AS sql_version,
host_platform,
host_distribution,
host_release
FROM sys.dm_os_host_info;
If host_distribution comes back as 'Windows', check @@VERSION — if it says 'Windows Server 2016', you have both problems in one box.
The CVE Conveyor Belt
This number keeps me up at night on behalf of any of my customers still on 2016: 79 CVEs were published against SQL Server 2016 in 2024 alone, with an average CVSS score of 8.4 in 2025. This is no small thing.
It's not going to slow down after July 14. The researchers and the threat actors definitely aren't checking the EOL calendar. What stops after July 14 is Microsoft's response to what they find. Every vulnerability disclosed after that date becomes a permanent resident in your environment — no patch coming, no timeline, no fix.
To be fair: you can buy your way out of that for a while. Which brings us to the ESU math.
The ESU Trap
Extended Security Updates are Microsoft's 'we'll keep patching it if you keep paying' program. For SQL Server 2016, they're available for up to three additional years past EOL — so through July 2029. But read the fine print before you treat this as a plan.
ESU covers critical security patches only. No bug fixes. No performance improvements. No features. No support calls. And the cost structure is punishing: roughly 75% of your original license cost in year one, doubling each subsequent year. By year three, you may be spending more on ESU than a new license would have cost you when this conversation started.
ESU is a bridge — though a short one — with a toll.
If you're in a regulated industry (PCI-DSS, HIPAA, SOC 2, ISO 27001), there's another wrinkle: those frameworks generally require software to be on a supported, actively patched version. 'We're paying for ESU' may not satisfy your auditors as well as 'We upgraded before the deadline' will.
The Ecosystem Is Already Moving On
Microsoft isn't the only one checking the calendar. Third-party vendors have their own support matrices, and SQL Server 2016 is starting to fall off them.
BMC has already published Control-M/EM 9.0.27, planned for October 2026, and will no longer support MSSQL 2016 as a backend database, and they won't be the last. Application vendors follow the same lifecycle pressure, and they rarely give more than a product release cycle of notice. By the time your ISV emails you about it, you're probably already behind.
Running an unsupported database version also tends to quietly invalidate software support agreements in ways that only surface when something breaks badly and you need the vendor to help. That's a terrible time to learn your environment does not meet your vendor pre-reqs.
What to Do Right Now
If you haven't started, this is the actual checklist — not the marketing version.
First, find every SQL Server 2016 instance you have. Include everything -- even the report server the finance team spun up in 2018 and didn't tell anyone about. This query will tell you what you've got:
SELECT
@@SERVERNAME AS server_name,
@@VERSION AS version_string,
SERVERPROPERTY('ProductVersion') AS product_version,
SERVERPROPERTY('ProductLevel') AS product_level,
SERVERPROPERTY('Edition') AS edition;
Anything with a version starting with 13.x is SQL Server 2016. Write them down.
Next, check your linked server providers — because this is the most common place upgrades silently detonate:
SELECT
s.name AS linked_server,
s.provider,
s.data_source
FROM sys.servers s
WHERE s.is_linked = 1;
Any row showing SQLNCLI or SQLNCLI11 is a problem waiting to happen post-upgrade. SQL Server 2025 ships with MSOLEDBSQL 19, which enforces TLS certificate validation that the old SQL Native Client silently skipped. Those linked servers will fail. Plan for it now, not after your upgrade.
Then — and I cannot stress this enough — test in non-production first. Not just the upgrade. Every downstream connection, every SSIS package, every replication topology, every application connection string. As I said, the engine upgrade itself is typically the easy part. Here's a full breakdown of what will break, and why.
The Bottom Line
SQL Server 2016 just got patched. That's the good news. The better news — if you act on it — is that you still have 111 days to handle things properly, rather than in panic mode.
Every day you wait, the calendar compresses and the options narrow. The organizations that are going to have a bad summer are the ones having this conversation in June. Don't be them.
July 14, 2026. Mark it in red. Then work backwards.
Need help planning the upgrade before the deadline? We do this.
More to Read
sqlfingers: SQL Server 2016 Ends in July. Here's What Will Break.
sqlfingers: Patch Tuesday: Your sysadmin Role Was Up for Grabs
sqlfingers: They Hid Malware in a SQL Table. A Weak Password and BCP Did the Rest.
endoflife.date: Microsoft SQL Server
Microsoft Lifecycle: SQL Server 2016
Very informative article. Thank you
ReplyDeleteMy pleasure. Thanks for reading!
ReplyDelete