On 14 July 2026 — next Tuesday — Microsoft releases the last Patch Tuesday that includes SQL Server 2016. From that moment the version leaves extended support: every vulnerability discovered afterwards remains without an official fix. It is not an isolated case: it is the latest chapter of a tail of legacy products that many SMEs still run in production, often without a plan. Let us look at the full calendar, the concrete options and how to set up the transition without stopping the business.
The deadline calendar
The imminent deadline concerns SQL Server 2016, whose extended support ends on 14 July 2026. But the picture is broader, because part of the corporate software estate is already past the line: Windows 10 has been out of support since 14 October 2025 (22H2 was the final version), and on the same day Office 2016 and 2019, Exchange Server 2016 and 2019, Skype for Business Server, Visio and Project 2016/2019 also left support.
For many SMEs this means the ERP runs on a database that in a few days will no longer receive patches, queried from Windows 10 workstations that have not received any for months — unless enrolled in the extended update programmes. It is the classic «legacy time bomb»: everything works, nothing is covered.
What «end of support» really means
End of support does not mean the software stops working: it means it stops being defensible. No more security updates, not even for critical vulnerabilities under active exploitation; no bug fixes; no vendor technical support. Every CVE published after the deadline stays open forever on the unsupported version.
There is also a compliance layer: those operating a certified ISO/IEC 27001 management system have technical vulnerability management among their controls, and those within the NIS2 perimeter have explicit obligations on vulnerability handling and system maintenance. An unsupported software estate with no documented remediation plan is an almost automatic audit finding — and an uncomfortable question after an incident.
The three paths for SQL Server 2016
- 1Upgrade to SQL Server 2022 — the most linear path for those staying on-premise: a modern engine, full support, current security features. The knot is application compatibility: mid-market ERP systems are often certified only for specific engine versions, and the upgrade must be validated with the application vendor before touching production. If the physical server is dated, it is also the opportunity to virtualise instead of buying new iron.
- 2Migration to Azure SQL — Azure SQL Managed Instance offers high compatibility with SQL Server and delegates patching, high availability and backup to the platform. It makes sense when you want to get out of managing the database engine, within a broader cloud migration path. It requires a serious assessment of application dependencies, latency towards your sites and the cost model.
- 3Extended Security Updates via Azure Arc — for those who cannot migrate immediately, Microsoft makes ESUs available until 17 July 2029: servers are registered with Azure Arc with monthly pay-as-you-go billing, or purchased through Volume Licensing (requires active Software Assurance). Instances running SQL Server 2016 on Azure virtual machines receive ESUs directly through the platform. It is the right choice when the constraint is the application, not the infrastructure.
Why ESUs are a bridge, not a destination
Extended Security Updates cover only vulnerabilities classified as critical and important. They include no new features, no non-security fixes and no ordinary technical support. Meanwhile the software ages: incompatibilities with new operating systems, drivers and applications accumulate, and the programme cost is designed to grow year after year, precisely to push towards migration. ESUs buy time — and buying it is legitimate when needed — but the time must be used to execute a plan, not to postpone it.
Windows 10: the parallel chapter
For Windows 10 the deadline has already passed: support ended on 14 October 2025. Organisations can join the ESU programme, which covers up to three years of critical and important security patches with annual cumulative purchase (joining in year two means paying for year one as well). The prerequisites: version 22H2 with the ESU preparation packages installed; LTSB/LTSC editions are not part of the programme because they follow their own lifecycles. Activation in business environments goes through Intune, Windows Autopatch or Volume Licensing.
The bridge logic applies here too: ESUs keep secure the workstations that cannot yet move to Windows 11 — due to hardware or application constraints — while the refresh is planned. For the client fleet the transition is often the opportunity to rethink the model: managed devices with Intune and standardised profiles instead of machines configured one by one, and identities and workplaces governed through Microsoft 365.
The concrete risk: legacy is the first target
This is not theory. The May 2026 Operational Summary from CSIRT Italia identifies the dominant attack vectors as the use of valid, already-compromised credentials and the exploitation of poorly configured remote access services — and reports manufacturing among the sectors most hit by ransomware. An unpatched SQL Server 2016 database, reachable through weak remote access, holding orders, customer records and documents, is exactly the combination a ransomware affiliate looks for: a known entry point, data worth a ransom, a company that cannot afford the downtime.
The defence is not just patching: it is knowing you can restart. Whatever path you choose for the transition, a verified backup with tested disaster recovery is the prerequisite — both against ransomware and as a safety net during the migration itself.
How to set up the transition
- 1Inventory— census of all SQL Server instances (including the «hidden» ones inside applications) and Windows 10 workstations, with versions and dependencies.
- 2Compatibility check — for every application depending on SQL 2016, ask the vendor: certified for SQL 2022? For Azure SQL? On what timeline?
- 3Differentiated plan — what migrates now, what gets virtualised, what stays covered by ESU with a written exit date. Every system on ESU must have an owner and a deadline.
- 4Safety net — tested backup before every step, a defined rollback window, and reinforced monitoring on the systems that remain on ESU.
This is the work we do every week with SMEs: assessing the real context — applications, budget, constraints — and building the technical transition that holds, on-premise or in the cloud. If 14 July finds you still on SQL Server 2016, the priority is activating ESU coverage and putting a date on the migration plan.
Sources
- Microsoft SQL Server Blog — «SQL Server 2016 Extended Security Updates: Stay Protected While You Modernize» (23 June 2026)
- Microsoft TechCommunity — «Windows 10 Extended Security Updates: A Bridge to Your Windows 11 Experience» (28 June 2026)
- Microsoft Learn — lifecycle documentation: Extended Security Updates program for Windows 10; products reaching end of support on 14 October 2025
- ACN / CSIRT Italia — Operational Summary May 2026 (24 June 2026)
Read more
Frequently asked questions
Answers to the most common questions about the end of support for SQL Server 2016 and Windows 10.
Extended support for SQL Server 2016 ends on 14 July 2026: the July Patch Tuesday is the last one that includes fixes for this version. After that date Microsoft releases no more security updates: every vulnerability discovered from then on remains without an official patch, forever. The software keeps running, but it becomes progressively more exposed — and a company database is exactly the kind of target attackers look for.
Extended Security Updates are a paid programme that extends critical and important security patches only, until 17 July 2029. For SQL Server 2016 they are activated by registering the servers with Azure Arc, billed monthly pay-as-you-go, or through annual Volume Licensing for licences with active Software Assurance. Instances running SQL Server 2016 on Azure virtual machines receive ESUs directly through the platform. ESUs cover security only: no new features, no non-security fixes, no ordinary technical support.
It depends on the constraint that dominates your context. If your business application is certified for recent versions, upgrading to SQL Server 2022 is the most linear path and keeps everything on-premise. If you want to get out of managing the database engine, Azure SQL Managed Instance offers high compatibility with administration delegated to the platform. If the application software is not ready yet — the typical case of legacy ERP systems certified only for SQL 2016 — ESUs via Azure Arc are the bridge that keeps you covered while you plan the real migration. The mistake to avoid is the implicit fourth option: doing nothing.
Windows 10 has been out of support since 14 October 2025. Organisations can join the ESU programme, which covers critical and important security patches for a maximum of three years, purchased annually and cumulatively. Version 22H2 with the ESU preparation updates installed is required; LTSB/LTSC editions follow their own lifecycles and are not part of the programme. ESUs however do not replace a Windows 11 migration plan: every extra year costs more and the functionality and compatibility gap keeps growing.
Three things. First, operational risk: an unpatched database managing orders, customer records or documents is an ideal entry point for ransomware, which systematically hunts for exposed legacy systems. Second, compliance: those operating an ISO 27001 management system or falling within NIS2 have vulnerability and patch management obligations that are hard to reconcile with unsupported software and no documented remediation plan. Third, the insurance and contractual factor: cyber policies and structured clients increasingly ask for evidence that systems are supported and up to date.