We use WSUS now, but everything's manual. That means our server teams are in every week during our maintenance window. It also means we can't afford to take down our most important servers except once every quarter. For that reason, we're looking to move to Altiris so that our updates are approved, assigned, scheduled, monitored, and resolved in the same place.
The same goes for workstations. Right now, we have to pull a compliance report from WSUS, then manually find the computers in Altiris DS, then send scripts to resolve, then re-run the report, etc. I hope that by moving to patch management in Altiris, we'll be able to dynamically update filters so that problem computers auto-resolve. A big problem right now is rolling out XP SP3 and Office 2007 SP2. (I asked for a report in October and discovered the patch team had not approved it.) WSUS isn't doing a good job of fully installing such large patches.
WSUS also doesn't have bandwidth management, whereas Altiris does have bandwidth management. This is important for our sites across slow links. We're only around a thousand nodes, but with six or seven slow sites, this is a feature that would help.
We could also use bandwidth features to restrict updating over slow connections like wireless or VPN, while still allowing users to upload patch statuses. Because WSUS uses port 80 (or 443 if you go SSL) for everything, you can't throttle bandwidth and still maintain the status updates.
Reboot management is another area where we'd like additional control. Altiris has more control for reboot settings than WSUS.
Altiris patch management also uses QChain, which means all applicable updates for a computer can be installed simultaneously and require only a single reboot. With WSUS, multiple reboots are often required: patch, reboot, get more patches, reboot, repeat even more. This is somewhat acceptable for workstations, but not even close to acceptable for our servers. Again, our patch administrators do these manually and we're really looking to save time and reduce the number of outages required per server per patch event.
Having an integrated tool is really part of it. The ability to pull inventory, find compliance against your policy, and take remediation steps from the same Console is very important to managing patches well.
A downside: I believe some items we currently get through WSUS may not be available through Altiris. In this case, we need to be more careful that we stage items other than Security Updates properly (Service Packs, Malicious Software Removal Tool, Feature Packs, etc). There's also a slight delay in obtaining updates in Altiris, whereas WSUS has them right away.
It's also nice that the Altiris Agent is already installed and I won't have to worry about WSUS communication problems or duplicate SusClientIDs. Because patch is already within Altiris, I don't need to audit yet another system. Instead, if it's in Altiris, I know that we see it.
Finally, our Linux guy also does patching. In addition to our 80 or so Windows servers, he's got 40 or so Linux servers. I have no visibility on these, and he has no policies or automation. By pulling this into patch management, we automate another manual process and eliminate another tool to maintain/place to check.