When you apply a hot-fix to a RMS, or Management Server, or Gateway server... a couple things will happen. First... it will update the server itself with whatever the hot-fix is supposed to fix... registry, DLL's, database updates, etc. Next, if the update needs to flow down to all agents... it will place a MSP file in the \AgentManagement directory under the OpsMgr installation directory.
Then, it will put the agents that report to the hot-fixed management server, into pending actions for the update. It will only place the agents reporting to that MS/RMS into pending... not all agents. For this reason - you really should patch ALL your RMS, MS, and GW's first, before approving any agents.
Then, when you "approve" an agent for the update... what it does is actually reinstall the agent, from its management server, then apply any update MSP's that are present, and that are not already installed.
So - when you apply a hot-fix to a management group - before approving any agents, it is a good idea to check your \AgentManagement directories on all MS/GW roles, and make sure the \x86 and \AMD64 folders have consistent AND CORRECT patch files present.
When you "approve" agents for the update... or perform a "repair", we recommend only doing 200 agents at a time, max. Phase the updates out in batches.
Then, use the "Patch List" view described in my previous blog post, to ensure all agents got updated. For agents that still need to be updated, simply run a "Repair" on those from the console, or patch them manually.
Any new agents that get pushed will automatically get the current hot-fixes applied, as long as the hot-fix MSP's are present in the \AgentManagent directory. However, manually installed agents must be hot-fixed manually.
Lastly... on the current batch of hot-fixes.... 950853 and 951380 BOTH update the SAME file.... mommodules.dll 950853 (memory leak) updates this file to 6.0.6278.11, and 951380 (cluster discovery) updates the same file to 6.0.6278.20. IF you are planning on applying both of these fixes... technically, you only need the latter, since it includes the previous fix.
Now - if you are applying 954903.... this contains mommodules.dll 6.0.6278.36 which supercedes BOTH 951380 and 950853.... so if you need all three hotfixes - just apply 954903. However - note in the picture below, if you apply two hotfixes that update the same file, the management server \AgentManagement directory still keeps the older one.... apparently the hotfix process does not understand that they update the same file, nor does it clean out the older 951380. The problem with this - is any major agent deployment will get impacted... because we will add to the install time, and impact the network worse. In this example - an agent push will be copying over the agent MSI (9MB) plus each hotfix in this directory.... while we dont have any direct guidance on this area - I would recommend removing the older hotfixes that no long apply, or are superceded by other hotfixes already in this directory.