You should be on a particular branch of patching. The GDRs are usually for someone that is patched with the normal branching. If you look through the build list, you should see where your current build will fit and then decide whether you're on a GDR branch or not.
There are really only two branches of code for a version. These are usually the current and previous SP levels. Any patches for CUs or security updates are merged into the branch at the current level, which is then released. If you applied later CUs than this security update, these CUs include the TLS patches. If you're back on 10.50.4042 or so, you're in SP2 and way behind.
All patches are cumulative, but you enter the patch cycle in a different place, depending on whether you're current or not. I think QFEs sometimes go our early and GDRs come later, but they all get patched. I go by versions, not worrying too much about the QFE/GDR stuff, especially if I'm deploying later. I think once you've gone GDR , you're always on that branch of deployment.
Our 2008R2 SQLs are all on the "final" SP3 (10.50.6000), and they have the QFE security patch (10.50.6529) for MS15-058. If indeed all patches are cumulative, then it should be safe to test in our DEV environment applying first the TLS 1.2 patch (10.50.6542), and follow up with Meltdown/Spectre GDR (10.50.6560).
Did I mention I'll do that first in our DEV environment ? 🙂
Thanks, Steve!
Mike Hinds Lead Database Administrator1st Source BankMCP, MCTS