Greetings Ian,
SPC 2 is indeed an appliance, and is based on the 2008 R2 Web Core edition.
Due to the locked down nature of the appliance not all Microsoft patches may be relevant, so all released OS patches are tested and validated against the SPC implementation by our QA and Security department.
When a patch is deemed necessary, and has been tested, it is added to a whitelist on the SPC appliance that is updated automatically as often as every 24 hours, or manually after the "Check for Updates" button has been activated in the Software Updates section of the web console.
Once on the whitelist the patch is then download from Microsoft or from an in-house WSUS server and then applied to the base OS.
As we do not currently support AD integration (joining the SPC appliance to a Windows Domain), or patching of the base OS without validation testing first (there are more than seven underlying Symantec technologies working in a finely tuned balance on the appliance), you would not be able to integrate with your GPO policies.
We do not currently have any released information about what patches have, or have not, been applied to the base OS, but it is being done.
Regards