normally we suggest them to test the patches first before applying them. It would be good if they are tested in a test server (if they have spare servers).
In addition, critical patches should be checked with the vendor first (assuming you have some applications running above the O/S, therefore, it's good to ask them before applying, otherwise, you may have problems like blue screen or some services not running etc. (Bear in mind, all IT Dept will not do the patch because they'll say, if it's not broken, why fix it, (meaning, they're scared if things goes down, so give them OT to work on the recovery.....), however, the should get the approval or rationale for patching/not patching the updates etc.
Also document the patches before/after, so you got a trail on that. and of course all patches should be approved by the management.
Done all 3 certs, now going for CISSP.....