Yeah, you've stumbled onto one of the most confusing elements of ePO. I'm about six months removed from being an active ePO admin, so my terms may be slightly off, but here's the distinction:
For VSE, there are two types of installers. Full installers and update installers.
Full installers install VSE on systems that do not currently have VSE, and are deployed through client deployment tasks.
Update installers upgrade VSE on systems that do currently have VSE, and are deployed through product update tasks.
For client deployment tasks, you specify which version (i.e. which branch, Previous, Current, or Evaluation) you're going to use for that deployment task when you build the task. Pretty simple.
For product update tasks, the branch to which the product will update is determined by a McAfee Agent policy. The Agent policy points to a branch, and when the product update task runs, it determines whether or not it needs to download and install that update patch.
For example, let's say you have VSE 8.8 Patch 8 checked in to the Current branch in the master repository, and VSE 8.8 Patch 9 checked in to the Evaluation branch in the master repository. You want to update a server from Patch 8 to Patch 9. You would need to modify that system's McAfee Agent policy to look at the Evaluation branch for VSE updates, then initiate an Agent check-in so that new Agent policy is loaded onto the server. Then, you would run a Product Update task, which would pull down the Patch 9 installer and run it.
Alternatively in this scenario, you could move the Patch 8 installer to the Previous branch and the Patch 9 installer to the Current branch. Then, this server would grab the Patch 9 update installer without needing a modification to its Agent policy. However, you do run a risk that other systems are set to update from the Current branch and have scheduled Product Update tasks that update VSE. If that's the case, you may accidentally release Patch 9 to systems unintentionally (not that I've ever done this...).
So I hope that clears it up. It's a bit confusing, especially since many other McAfee products such as TIE and DXL update with client deployment tasks, not product update tasks.