...that is to say patches/hotfixes/etc, these are never automatically rolled out. Instead these are managed via the SEPM and the Auto-Upgrade options under the CLIENTS section as below
http://www.symantec.com/docs/TECH96789
Regarding the management of definitions however, there are a couple of options. One is managed within the SEPM itself, and is through the use of the LiveUpdate Content Settings policy, which can be used to control what definitons are deployed to the targetted groups.
http://www.symantec.com/docs/HOWTO11093
http://www.symantec.com/docs/HOWTO55242
The second, and my preferred, method for definition management is the use of the LiveUpdate Administrator. This must be used in conjunction with the SEP Liveupdate Settings policies, but allows far more control of definitions (mark as pass/fail/retest/etc). More detail below:
http://www.symantec.com/docs/TECH92584