I put the GDR patch on where I had installed only up to a service pack, so where I had SQL 2014 SP2 only I applied the GDR (General Distribition) patch, where I had SP2 with CU7 installed I patched with the CU10 update but only after testing, both patches include the security update you need, so you only need the specific patch for either situation.
Funny thing after the patch though, when putting CU10 on and you do Select @@version it reports SP2-CU10-GDR which is most confusing.
I patched all the machines and didn't notice any performance hit, depends which blogs you read as well, some are all doom and gloom and say it will kill everything, some say there have been minimal reports of any performance impact, this all stems from the OS patch stories about performance hits. The only way to be sure is to test the patches before applying them in production.