Many customer choose to upgrade one firewall at a time so that they can test the new patch(es). The main problem it will cause is that any policy changes done while they are at different versions will not synchronize. The failover functionality should still work just fine, so if the primary firewall has an issue, the standby will take over, they just might have different policy versions.
Do you recommend that I rather deselect the option to Apply packages on all of the synced members then and completely upgrade one of the firewalls first? I have an additional challenge which might complicate the process a bit. I have already upgraded 11 firewalls through the Control Center and every time after a package is installed (8.2.1, for instance), communication between the firewall and the Control Center cannot be established unless I create a temporary rule on the firewall (through the Admin Console) to allow traffic for the Control Center Management app between the firewall and Control Center on port 9005. I know this rule is not necessary under normal circumstances, but after reboot the firewall listens on the wrong region for comms from the Control Center (external zone) and to get it to listen on the appropriate region, the rule must be created or changed (disabled or enabled)! Since the upgrade, this stil happens from time to time, especially after a firewall reboots.