As a DBA it sounds great to say we should have the flexibility to apply CUs or SP as necessary. The difficulty is when external entities(i.e. PCI-DSS) demands that all servers be at the most recent patch level to be in compliance. The Ivory Tower types who write the PCI standards prefer blanket statements like this, rather than fretting over whether a particular patch has anything to do with security or not.