It would be good to provide a bit more information - it seems that if push this policy out to computers that have 10.12.5, it will upgrade to 10.12.6
But if I push it out to computers that already have 10.12.6, but need some other apps updating, it just updates those apps.
I have a lot of machines still on 10.12.5 and I'd like to make them aware that they are about to install an update that will take a while to complete after a restart..
I guess the best way to do it, is to scope one directly to users with <10.12.5 and call it 10.12.6 update, and another for everyone else...
