I like Charlie's idea as well (and I actually do that here) but I do not like to enable the "Allow user to run" option in the policy. If you have that enabled then any user, administrator or not, who can access the Software Updates tab in the SMA can trigger the patch event. For us, that was a little too risky.
Instead we've given our administrators the knowledge to trigger the patching event from a commandline or you can build a Task that would trigger the patching command without having to access the system:
.\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AexPatchUtil.exe /Xa /reboot
That command line will trigger all available patches and then reboot when completed if necessary.
For your second question about choosing individual patches... allegedly there's a way to specify from the commandline using the same utility the GUID of the patch package you want to apply but I've never had luck with that. The downside is the failed syntax mode is to go ahead and install all pending patches anyways 
You *could* just open the agent, double-click on each individual update package, select the Download History tab of the package, and then browse to the URL or UNC of the package and execute them directly and individually but this won't pass the patch commandlines and, of course, you're doing them all manually.
The better option is to do better grouping and policy creation. However, you're going to get very complicated very quick and your org should probably get more comfortable with a process that allows you to test on a subset of systems and then proceed into production with automated installations.