This is going to be a matter of implementation and the nature of the infection.
A separate installation running on another computer on another network typically will not share the infection unless the sandbox itself was infected at the application level and passes it along to the live installation when pushing an update.
However, where the sandbox is installed somewhere on the same network as the live version, there are things that can affect both. The less isolation you have here the more likely an overlap is to happen. So two machines on 1 network may spread a self-replicating virus if you have an overly permissive set up, or something at the router level may affect both of their traffic. One machine with multiple virtual machines may also be vulnerable to the same bios virus but immune to most other system level infections. One OS with minimal separation could have a varying level of vulnerability just depending on setup.
Short answer is that it's always possible, but how you isolate your sandbox makes a big difference. For the best redundancy, you want to maintain three separate environments. One live server (typically a cloud hosted server), one sandbox server (typically something local that you have a lot of control over so you can make it more-or-less inaccessible from the internet), and one backup server (typically a cloud server separate from your live server).
Backups are much harder to spread infections with because they are generally not executable. If you make a clean backup on Monday, and save an infected backup on Tuesday, Monday should still be clean. So on Wednesday when you discover that your application is compromised, you can just wipe it and pull up a clean backup from Monday and you are good to go.