I created a policy for the 2 of these updates this morning. An hour later or so, a few servers we have rebooted randomly. I checked and sure enough, they applied the patches and rebooted - even though their policy says they're not to run a patch cycle until 2020 (just so things cache, and we fire the patch cycle off through task or ds jobs).
We had an issue just like this a few months ago where a few servers received the updated policy and started firing off a patch cycle.
Thankfully I was able to catch it early both times before critical servers rebooted.
The only oddity I noticed was that for a few of the patch command lines, the Symantec default was: /passive /norestart /quiet which surprisingly didn't cause an error. I have changed these to be just /quiet /norestart. They were for the XP and 2003 patches, though both of the servers that rebooted were 2008. Not that the cycle should have started in the first place....
Has anyone else seen this issue? 2 times in the last 4 months is too frequent for my taste.