If you need to use production data for your testing and don’t want to expose any sensitive data on your development environment, you should look at obfuscating them.  This article shows the common obfuscation methods in use: character scrambling, repeating character masking, numeric variance, nulling, artificial data generation, truncating, encoding, and aggregating.

Also, if you are looking for a function in SQL Server that pretty much does like the function REPLACE() but only replaces one substring in a specific position and length, then STUFF() might be the one.