SQL Server 2016 End of Support: 17 Days Left and What UK Businesses Must Do With Their Servers
Microsoft SQL Server 2016 reaches end of support on 14 July 2026. That is 17 days from today. After that date, Microsoft will issue no further security updates for the platform. Every new vulnerability discovered in SQL Server 2016 after 14 July becomes a permanent, unfixed gap in any system still running it. And two of the three paths available to UK businesses when that deadline hits require secure, certified disposal of the physical hardware.
This is not an abstract future risk. The ICO fined South Staffordshire Water £963,900 in May 2026 after investigators found the company had been running Windows Server 2003 at the time of a cyberattack. Among the failings identified were the continued use of outdated Windows Server 2003 systems. Running legacy, unsupported server software is not just a technical debt problem. It is an ICO enforcement problem. SQL Server 2016 going end-of-life in 17 days creates exactly the same category of exposure.
Key takeaways
SQL Server 2016 reaches end of support on 14 July 2026. No security patches after that date.
Two of the three response options available to UK businesses trigger immediate server disposal requirements.
Every server disposed of requires NIST SP 800-88 Rev. 2 certified data destruction and a serial-level Certificate of Destruction.
Cyber Essentials requires all software to be licensed and supported. SQL Server 2016 post end-of-support fails that requirement.
Windows Server 2016 follows in January 2027, creating a second wave for organisations that defer.
Why this matters beyond the technical team
SQL Server 2016 running past its end-of-support date does not just create a cybersecurity vulnerability. It creates a data protection compliance gap. The databases hosted on SQL Server 2016 are almost certainly processing personal data: customer records, employee information, financial transactions, order history, CRM data. Under UK GDPR Article 32, organisations must implement appropriate technical measures to protect personal data. Running an unpatched database platform with known, unfixed vulnerabilities is not an appropriate technical measure. It is the absence of one.
Cyber insurers ask about unsupported software during underwriting renewal, and some insurers will refuse to renew or quietly drop a clause if unsupported operating systems or applications are discovered. SQL Server 2016 post end-of-support sits squarely in that category. If your organisation experiences a data breach involving a SQL Server 2016 instance after 14 July 2026, the insurer's first question will be why the database was still running unsupported software with known vulnerabilities.
Cyber Essentials, the SRA's technology expectations for law firms and various sector-specific data rules all assume current, supported software. After 14 July 2026, SQL Server 2016 is unsupported software. The Cyber Essentials v3.3 Security Update Management control requires all software to be licensed and supported, and critical patches applied within 14 days. A database platform with no patches to apply because the vendor has ended support fails that control. CE certification held alongside SQL Server 2016 post end-of-support is a certification built on incomplete foundations.
The three paths and their disposal implications
When SQL Server 2016 reaches end of support, every organisation running it faces three options. Two of them trigger a server disposal event.
Path 1: Upgrade in-place to SQL Server 2019 or 2022. The database platform is upgraded on the same physical hardware. This is the cleanest option if the server hardware is recent, in warranty and compatible with the newer SQL Server versions. The physical server stays. The data stays on-premises. The ITAD trigger is low because no hardware moves. The risk is hardware age: a server bought in 2014 to run SQL Server 2016 may not have the specifications to run SQL Server 2022 efficiently, and may itself be approaching end-of-support for its firmware and components.
Path 2: Migrate databases to cloud. Migrating to Azure SQL, AWS RDS or Google Cloud SQL means the physical server hardware becomes redundant at the point of migration, and the decommissioning of those servers must be planned and executed as part of the migration project rather than as an afterthought. This is the path most likely to be underestimated. Teams focus on the migration and lose track of the decommissioning. Physical servers accumulate in server rooms with databases that were live until migration day, their data not yet destroyed. The ITAD trigger is high and immediate.
Path 3: Decommission the server entirely. The server is retired without a migration or in-place upgrade. Full hardware disposal with certified data destruction. The ITAD trigger is immediate. No device leaves site until the data destruction is complete and the Certificate of Destruction is in hand.

What secure server disposal requires
Server disposal is categorically different from laptop disposal. A single database server can hold terabytes of personal data across dozens of databases. The disposal process must match that scale and sensitivity.
Full inventory before anything moves. Every server, serial number, drive count, RAID configuration and data classification must be documented before decommissioning begins. This is the master record that the chain of custody flows from.
NIST SP 800-88 Rev. 2 Purge applied to every drive. Every hard drive and SSD in every server must be individually sanitised. RAID arrays require the sanitisation to be applied to each component drive, not to the logical volume. SSDs require ATA Secure Erase or cryptographic erase to reach over-provisioned cells. This is per-drive, per-serial-number work.
IEEE 2883 for high-density storage. Enterprise storage arrays, NVMe components and SAN-attached storage require the IEEE 2883 standard to be applied alongside NIST SP 800-88. This applies to any storage device where standard overwrite approaches may be insufficient due to architecture.
Serial-level Certificate of Destruction. Every drive in every server must be listed by serial number on the Certificate of Destruction, with the destruction method and standard applied confirmed and dated. A Certificate that lists servers rather than individual drives does not satisfy an ICO audit.
DEFRA Digital Waste Tracking consignment ID. From Q4 2026, every Certificate of Destruction must carry a DEFRA DWTS digital consignment reference. Your disposal partner must be registered on the DEFRA system. If they are not, their certificates will be incomplete from October 2026.
The South Staffordshire warning
Investigators found that South Staffordshire had failed to implement appropriate security controls, including the continued use of outdated Windows Server 2003 systems, and the ICO made clear that waiting for performance issues or a ransom note to discover a breach is not acceptable, and that proactive security is a legal requirement, not an optional extra.
The parallel to SQL Server 2016 is direct. An organisation that continues running SQL Server 2016 after 14 July 2026 has made a deliberate choice to operate an unsupported, unpatched database platform holding personal data. If a breach occurs on that platform after end-of-support, the ICO will find it difficult to characterise as a technical failure. It is a governance failure. The same enforcement logic that applied to Windows Server 2003 in 2022 applies to SQL Server 2016 in 2026.
What to do in the next 17 days
If your organisation is running SQL Server 2016, three actions are needed before 14 July.
Confirm which path you are taking: in-place upgrade, cloud migration or decommission. If you have not decided, decide now. Running on ESU while planning is a viable short-term measure only if Microsoft offers ESU for your SQL Server 2016 edition and you have enrolled. Not all editions qualify.
If cloud migration or decommission is the route, engage a certified ITAD partner now. Server disposal is not a same-day job. Inventory, chain of custody, data destruction, certification and recycling require planning. Organisations that leave this until after migration day will find their old servers sitting in server rooms for months with live data still on them.
If you are proceeding with in-place upgrade, confirm your hardware is compatible with SQL Server 2019 or 2022 and schedule the upgrade before 14 July. Every day past that date on SQL Server 2016 is an unpatched day.
Retire your IT. Recover its value. Prove it is gone.
NanoSoft manages server decommissioning projects for UK organisations of all sizes. Every project applies NIST SP 800-88 Rev. 2 and IEEE 2883 certified data destruction, produces a serial-level Certificate of Destruction for every drive and server component, and is completed under ISO 27001 certification, ADISA Standard 8.0 assurance and full DEFRA DWTS compliance from Q4 2026. Where decommissioned server hardware carries residual value, we recover it and return it to you.
Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK
Found this useful? Share it.
