From a personal point of view, the options provided by SCCM 2012 create a superior experience by its flexibility and options the Software Update Point (SUP). Especially the features Automatic Deployment Rules and Offline Servicing allows administrators to create a very powerful set of tools to automate Software Updates. You can extend its capabilities by using System Center Updates Publisher (SCUP) 2011 which allows publishing your own Software Updates either by a vendor’s catalog or updates published by yourself.
Any Software Update Point that is on top of a hierarchy connects to connect to Microsoft Update to synchronize and download the Software Updates your organization requires. This works fine for most organizations who allow the SUP to be connected to the Internet. A proxy server can be set if required.
But what if an Internet connection is not available? Some high security environments have company policies which forbid the internal network to be connected to the Internet.
The only option is having a separate WSUS server running which is located in a perimeter network which does have access to the Internet.
You can use WSUSUtil.exe to export and import Software Updates but this requires quite an amount of administrative effort.
The other option is configure an upstream server in the WSUS SDK Console temporarily. This can be done either manually or you can write a script. This requires quite an amount of administrative effort and it is not a best practice to modify WSUS settings in the WSUS SDK Console. SCCM 2012 sets the required values by itself.
Fortunately, the issues mentioned are no longer required with SCCM 2012 SP1.
At the following TechNet page you can view what’s new in SCCM 2012 SP1:
I quote the welcoming feature regarding Software Updates:
‘At the top-level Configuration Manager site you can now specify an existing WSUS server as the upstream data source location. During synchronization, the site connects to this location to synchronize software updates. For example, if you have an existing WSUS server that is not part of the Configuration Manager hierarchy, you can specify the existing WSUS server to synchronize software updates.’
Keep in mind though that an additional WSUS server is required which is able to communicate with Microsoft Update…
In order for this to work you need to install hotfix KB2720211 on the Site server that hosts the SUP