The evaluation branch can be used since ePO Agent 4.0 so you can check the P4 package into evaluation branch safely and it will only be deployed to computers wih a update task using evaluation branch.
What you can also do is to check that you have no active update tasks that have the patch option selected and then create your own task.
So since my clients have VirusScan 8.7 with patch 2, do I check in just the patch 4 plus hotfix OR do I check in the whole VirusSca 8.7 patch 4 and then the hotfix?
I ask because in epo I see that for the Update Task you can choose patches or not for 8.7 but don't get to say WHERE they come from.
BUT for the product deployment you can choose which branch.
That makes me think I should check in the whole package 8.7 with patch 4 in it, and then hotfix 613356 separately, into eval.
Or, I guess I can check just patch 4 and hotfix into eval and then modify the agent for a set of test computers, to deploy patches from eval. I think I will try this approach.
I checked in just p4 and the hotfix and modifed the agent on a system with 4.5 p2 to get patches from eval and that worked perfectly. And my other p2 only systems without modified agent do not get p4. Works great.
Deployments of DAT's and content work well from Eval. Been using it for quite some time. Product deployment from Eval also work's fine. I have used for deployments over many thousands of machines.
Deployment of Patches on recently became available. I believe ePO 4.5 Patch 3 (Maybe 2) and MA 4.5 patch 1. Haven't used it yet. Got burned on earlier versions like ePO RTW.
Let us know how it goes.
So as I said, all went well. I can selectively pick who I want to get P4 + hotfix and not affect others.