Best practice guidelines here:
"Why Patches Should be Scheduled With Default Software Update Plug-in (DSUP) Policies"
"Each group of computers (for example servers, workstations, and test group) should have a clone of the original DSUP policy targeted to them that is configured with an appropriate patching schedule and reboot settings"
http://www.symantec.com/docs/TECH228050
And:
"Configuring Patch Management for Windows - Best practices for 7.5.x - 8.0.x"
http://www.symantec.com/docs/HOWTO56242