For the moment, I’m working on Debian GNU/Linux. Everything bought new (since sometime last fall) has the current stable release (4.0r0, or “etch”) installed, and everything older has the previous stable release (3.1r6, or “sarge”). Assuming that I keep apt sources for both the primary Debian archives and their security updates, the puppet recipe for managing apt upgrades should keep me running.
Things won’t get much more complicated when I bring some Ubuntu desktops into the infrastructure, since Ubuntu uses the same basic package management tools as Debian. I’ll have to read up some more on Solaris patch and upgrade management when I get ready to convert our few Solaris workstations.