SQL Server security updates for cluster instances through Microsoft Update, WSUS, SMS, and MSBA
Starting with Microsoft Security Bulletin MS09-004, SQL Server security updates can be deployed to a cluster SQL Server instance using Microsoft Update and WSUS. As it is necessary to provide credentials for the installer to run the update on the passive node, the update needs to run in attended mode through Microsoft Update to capture these credentials. It is recommended that you run the update on the Active node first, which will patch the instance on the passive node, and then run the update on the passive node to ensure all other components are patched.
MSBA will also work against a SQL Server clustered instance.