I'll second WSUS. I've been using it for a couple years with few problems. It really helps organize the patching process as well as enforcing compliance. You may want to brush up on your Group Policy editing as well because a few settings need to be adjusted to force clients to play nice with the WSUS server.