Jon Russell clarifies the situation:
SQL Server administrators often encounter Microsoft updates labeled as “CU + GDR”, and understandably, this can cause confusion — especially when trying to stay on a consistent CU-based servicing path. This post clarifies what “CU + GDR” really means and why it’s not something to worry about.
Read on for an overview of the different security models, as well as the odd duck in SQL Server 2016.