When we had to patch and SP a ton of Win2K machines, we used LANGuard (
http://www.gfi.com/languard/) which comes (or did come) with a patch deployment agent. It installed the patches (which required a reboot), and we let it reboot at the end of the day. Nice.
You can use Group Policy to make software available, but the client still has to install them manually. I know that MS SMS will allow you to deploy patches, etc, but for all of that you need a Windows 2000 or 2003 server. At least with LANGuard you can just run it from an "administrative" workstation.
Cheers
ZB