I want to create a separate Machine Group to include only those servers requiring service packs. For the scan, I cannot locate in the template where to select just Service packs. Does this exist as an option?
Can you please confirm the version of Protect you are running? You cannot add Service Packs to a Machine Group like normal patches, there are more options with a Service Pack Group but that only works with agents and won't help with what you are trying to do. Is there a reason you can't use a Security Patch Scan and your current Machine Groups? Scans against them would show missing Service Packs and allow you to deploy to the machines that require them. There is no chance of pushing Services Packs to machines that do not require them, barring content issues.