We have to have our entire environment patched within 10 days of a patch being released, so I get to deal with this issue on a monthly basis.
We patch our environment the Thursday after patch Tuesday and run through the following Friday. There are different schedules on each day to accommodate various applications and maintenance windows, i.e. patch at 8pm on a Saturday and reboot at 10pm vs. patch at midnight on Saturday and reboot at 2am. We also have collections set up for servers that need manually patched (which has a 1/1/1980 patch policy so Altiris can still be leveraged to patch on demand)
Next, we have daily reporting collections that contain a cumulative list of everything that's patched so far. The Saturday collection contains all Saturday patch collections, all Friday patch collections, all Thursday patch collections, etc., and the Sunday collection contains all of these plus the Sunday patch collections.
We have a collection report that lets you pick a parent collection and will report on all machines in that collection and what sub-collection they belong to:
select vc.[name] as 'Computer name', i.[name] as 'Collection'
from vcollection c
join collectionincludecollection cic on cic.collectionguid = c.guid
join Collectionmembership cm on cm.collectionguid = cic.subcollectionguid
join vitem vc on vc.guid = cm.resourceguid
join vitem i on i.guid = cic.subcollectionguid
where cic.collectionguid = '%Collection1%'
group by i.[name], vc.[name]
I use that to know who's in what collection, then just run the canned Compliance/Vulnerability by Computer - Details report against the corresponding daily collection so I can get an accurate view of patch compliance levels only on the machines that should have patched.
It's still a solution that will require manual work on your part, but I've tried to dig into the canned reports (which are in the DB as stored procedures) and I think the SQL driving those things would make even the most seasoned DBA cry! :)