Just to confirm...when you say patch updates do you mean virus definitions (DATs) or actual patches?
Either way it all depends on how you've configured your 'Update Master Repository' scheduled server task. Simple have one task to update the evaluation branch and disable any update task for the current branch.
If done correctly then the Current branch will remain unchanged allowing you to update it as and when you wish.
I can't remember if it's a setting somewhere but i've never had ePO update patches or software automatically. I've always been able to manage everything manually either using the software manager or downloading files directly from the McAfee website with a grant number.
How do I manually approve the dat version to CURRENT branch? Is it based on DAT number?
The problem is by the time you evaluated the DAT in evaluation the DAT in McAfees repositories will have advanced. I don't believe you can update incremental DATs to a particular level (you can only check in SuperDATs). So an update repository task will potentially update to newer DATs.
Can we create multiple custom branches for DAT updates?