Sorry! I read your post incorrectly. I thought you were discussing the process of building “new” servers and applying all the missing patches as quickly as possible. We don’t release a “new” server to Application Owners until they are fully patched, so time to patch them is not critical.
Every Patch Tuesday I create a Baseline with that Month’s Microsoft Fixlets/Tasks. All of them. We handle Linux/UNIX servers differently.
Our Operations Center then uses these Monthly Baselines to deploy the Patches to groups of servers in pre-defined Patch Windows. We usually assume that the Monthly patches will take between 2-4 hours to install, but we advertise 4-6 hours for the installation process. They first push the Baselines to “Test” servers. This helps to pre-stage the patches on the Data Center Relays so when the Baselines are pushed to the Production servers a few nights later, they are already cached and the Production servers can quickly download them and install them.
As I mentioned earlier, we don’t use the Pre-Cache option with Baselines because each server seems to attempt to pre-cache all the patch installers in the baseline, and for most servers, they don’t need all the patches.
In practice, I’ve found that there are very few modern Microsoft patches that will impact the performance of a server before it is rebooted. If any of these come up, we find them when we patch the Test machines. The only time the End Users are directly impacted by patching is while the servers are rebooting and finalizing their patches and this would be the same for WSUS installed patches as for IEM installed patches.
We handle Server Reboots as a separate action with a 30 minute staggered start because we have a large number of servers.
The whole process does take a little longer than if WSUS were doing it, but not much, and we get much better control and reporting of the process using IBM Endpoint Manager.