Service packs, hotfixes and security patches are updates to products to resolve a known issue or workaround.
Moreover, service packs update systems to the most current code base. Being on the current code base is important because that's where Microsoft focuses on fixing problems. For example, any work done on Windows 10 is targeted at the next service pack and hotfixes are built against the existing available base. The same methodology applies to Office, Adobe Acrobat, Java and many other products, it is not limited to the Operating System.
Individual hotfixes and security patches on the other hand should be adopted on a case-by-case, "as-needed" basis. The majority of security updates released are for client side (often browser) issues. They may or may not be relevant to a server installation. Evaluate the update, if it's needed, then apply it. If not, assess the risk of applying or not.
The basic rules are:
"The risk of implementing the service pack, hotfix and security patch should ALWAYS be LESS than the risk of not implementing it."
"You should never be worse off by implementing a service pack, hotfix and security patch. If you are unsure, then take steps to ensure that there is no doubt when moving them to production systems."
The following guidelines outline the recommended processes to follow before implementing service packs, hotfixes and security patches. You can follow them as a step-by-step guide to having a successful implementation of any Microsoft recommended update.