Yes CU21 requires schema updates.
RUN EACH UPDATE FROM AN ELEVATED PROMPT
You apply CU21 to each server: (
https://support.microsoft.com/en-us/topic/cumulative-update-21-for-exchange-server-2016-kb5003611-b7ba1656-abba-4a0b-9be9-dac45095d969
THEN you apply the July security update from an elevated prompt:
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421
Pay special attention to the known issues before running the Security Update:
Run the healthchecker on each server to ensure the OAuth cert is valid and exists.
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
Your steps look correct.
After you are done:
Run the health checker again
test-servicehealth
get-servercomponentstate <server>
get-queue
test-replicationhealth
get-mailboxdatabasecopystatus
If you encounter any issues:
https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues