In your agent policy when you set up a patch task you have the option to separately enable deployment for patches and service packs. If you only enable deployment for service packs, you could then set it to use a service pack group if you only wish to deploy one specific service pack.
A couple things to note - You can create multiple patch tasks within a single agent policy, and the use of service pack groups is only available when using agents.
I hope this helps.
I am all set with the agents, my question, and how I should have phrased it, is how to do this agentless.
For agentless service pack scanning and deploy you cannot filter service packs out of the scan, and you can only deploy one service pack at a time (go to scan results > right click on the SP > choose "Deploy latest service pack".
I would suggest taking a look at the following Help document within Protect:
Help > Contents > Agentless Patch Management Tasks > Deploying Patches > Deploying Service Packs