Implement patch management strategy
Microsoft Baseline Security Analyser (MBSA) can be used to scan Windows operating systems for missing security patches and incorrectly configured settings which could render the Windows vulnerable to known attacks.
The System Center suite can be used to baseline and apply security patches.
Windows Server Update Services (WSUS) is a free patch deployment application available as a role in Windows Server 2008 R2 and a separate download for Windows Server 2008. The version of WSUS available for both revisions of Windows is 3.0 SP2 but note that upgrading a Windows Server 2008 computer running WSUS 3.0 SP2 to Windows Server 2008 R2 will fail.
WSUS 3.0 SP2 has support for the branch cache feature of Windows Server 2008 R2 and also support BITS peer caching, this allows Windows updates to be retrieve off neighbouring systems rather than directly from the WSUS server.
Approval deadlines can be used to force patches to be installed immediately; setting the deadline to a date in the past forces the Windows Update Agent (WUA) to install the update immediately.
Update strategy for roaming clients; point the clients to a DNS name and have that DNS resolve to the local site which the roaming client is currently located.
For application patch level maintenance you should consider looking at the System Center Configuration Manager editions.
More on WSUS here