What’s your best practice on keeping up to date for patches pertaining to SQL, Exchange, etc…
I wrote an article a while ago for my internal guys and published it online. It was long, and it doesn't address your question specifically, but you might be interested.
With Exchange and SQL, the main care we take is to NEVER install Update Rollups, Feature Packs, or Service Packs. So far in 2 years we haven't had any issues. WIth Exchange, if you have multiple mail box servers in a DAG and they are patched differently you can / will corrupt data. Same goes for SQL but i'm not sure what the other constraints are.
I always approve Critical High Medium and Low Security updates, but review them first.
If you are worried about administrative effort, use patch policies and you'll only have to review 10 patches a week if that.
If you review incoming patches by Type (not by classification) you can easily dismiss anything for Exchange or SQL if you like.
On top of that, we have two patch policies, one for a few test servers, one for everything else.
The everything else group doesn't get a patch on it til the test servers have been patched first. We delay patches going to production by about two weeks to let test servers get the patches and make sure there are no patch issues out in the wild
Hope that helps