In summary:
Whenever the SEPM gets a hold of the latest definitions, any clients configured to "Update via the default management server" will pick up those new defs on the next heartbeat and randomisation window.
That means when you change your SEPM's schedule to run at 2pm, then all clients are likely going to download the defs shortly after that.
Currently, the only way to accurately schedule the download of definitions on SEP Clients is to enable "Update via LiveUpdate", which enables the scheduling options, and either point them at Symantec LiveUpdate (if your WAN link can handle it) or at an internal LUA server as you mentioned.
There is an active IDEA for the option to schedule the definition downloads via the SEPM. Please vote for it if you think it beneficial:
https://www-secure.symantec.com/connect/ideas/option-have-update-windows-endpoints-without-use-symantec-liveupdate-or-liveupdate-administrat