I was speaking of SQL Server patches, but Windows ones would count as well. Typically there is someone else that handles patching Windows in most companies I've seen, even small ones. Separate from the developer / DBA. If you're the sysadmin stuck with SQL Server, then you probably do both.

The other patches for SQL Server, not security ones, could impact the way things work. I'm not sure if they are security related in any way, though they'd include security items. Each includes previous patches.

I don't recommend the CUs unless you are affected severely by an issue and can't wait for the yearly service pack. These items aren't comprehensively tested.