I work for a fairly large corporation and we have been tackling this issue more recently than not. I am kind of disappointed in the way it started out but have made the best recommendations based on the needs.

when a new patch comes out that is warranted as "Critical" the company was just pushing it out to everyone immediately through SMS and that included servers, all patches got put out, if it breaks anything then figure it out. (I can feel all of you cringing just like I still do)

Now since we can't fully replicate a lot of our environment in a lab
For Desktops:
we push the patch out to a sample population
-if there are no issues within a 24 hour period we push it out to everyone

For Servers:
Push the patch out to non critical servers,
-Test for 24 hours then hit all the critical servers.

Now this doesnt happen this way every time but it is a decent method. If we know there are going to be some major virus/hijack issues related to a specific exploit, and there is no work around other than the patch... it gets pushed out as soon as possible to all machines with minimal impact to the business (tough when you run 3 shifts 7 days a week)

A tool you might look into if you cant afford SMS is Shavlik. There is a free version and a pay for version.
Free gives you CLI ability to query the machines and then apply the patches
Pay for gives you a cool GUI with some other options.

I think the free version is fine if you are in a smaller environment and can whip up a batch file.