Here's the type of workflow that I recommend for many clients.
a) Set up a SUS in Automatic mode (download and enable all updates). Let it cache everything (assuming you have the space).
b) Once configured, set it to Manual mode, but click the checkbox to download all updates. By doing so, the updates are downloaded but not enabled. This also means, when you go through and approve/enable updates, they are available nearly instantaneously, rather than having to wait for them to download (probably during the day when your bandwidth is at a premium, instead of at 3 a.m. when the update server does its sync by default).
c) Client machines are configured at imaging time or by policy to NEVER check for updates.
d) Approximately once a month, pending updates are enabled. A policy is then scoped to a TEST group of users, running once, at logout, to do a softwareupdate -i -a
e) Test users are notified of the updates that they are trying and to let IT know if there are issues
f) Once a week or two have passed with no issues, the software update -i -a policy is scoped to ALL users.
Your mileage may vary, but this works pretty well.
