Currently, we do not have a solution to do this.
I just spoke with the Product Manager for Shavlik Protect about this and he would like to see a feature request submission for what you are looking for. Submit A Feature Request
Charles mentioned your issue to me and I saw your feature request already. I did have some questions though. Are there any specific products or patterns to what you are seeing? Typically I would expect multiple rounds of patching to be needed in the following cases:
Patch up to date, then deploy a major SP like an OS SP. Service Packs do not look and see a new file on disk and leave it, they replace that newer file, which results in many patches needing to be redeployed after the SP is installed.
Some 3rd party vendors have point releases. These point releases often can only be installed in order. After they are up to date and you are maintaining new as they come out, this is a lesser issue.
In cases where a MS update affects either Windows Installer or Windows Update on the affected machine, that update interrupts the deployment process which has resulted in such a case as well.
Let me know if what you are seeing is one of those or something else I am not aware of.
We are interested in just Microsoft patches. It seems like a dependency issue were a certain patch has to be installed before other ones can be installed; which causes the server to have to be patched and rebooted multiple times.
The servers I was working on where Windows 2008 R2 and Windows 2012 R2. They were base images with all needed service packs but just missing a lot of patches. We would like to take a base image machine and run one job that will get it up to date (excluding service packs).
If it were 8.1 and 2012 R2 I would have thought maybe the CU1 update, but 2008 R2 throws that off.
So let me explain a little of what we do. Our engine will handle most situations without issue. There are VERY few cases where an update would cause the need to reboot before continuing more updates. I explained the ones that likely cause this above. One example of what our engine does to order patches in a way that will optimize deployment would be the MS15-052 replaced by MS15-055 in the same months update. MS calls out the fact that you need to install 52 before 55 in their faq. Our engine knows one is replaced by the other and you only need 55 in that case, so we just push 55 and not push additional unnecessary updates.
The wild card in this case can be windows installer. You can queue up enough things that WI will just say no more and force a reboot before you can proceed. This happens in cases where a system has had a lot of installs, uninstalls, and updates without a reboot to finalize. If this is the case you can do a pre-reboot to clean that slate. I have personally tested our product patching windows XP, 7, and 2008 r2 systems fully up to date in one deployment with 3rd party updates included. That is over 100+ patches in a single deployment to a single machine.
Hope this helps,