As you can have the guest domains running at different patch levels than the host, and each other, as they are effectively "independant" machines I don't think it matters, as long as you follow the patch guidelines and recommendations for whichever you do.
We have always done the host domain first, but that is ore of an internal method of getting approval from the differing departments with "machines" running on it.
Of course, whichever you do, you do have a good full backup before you start work right?