Best Practice for Update Policy Changes in an VDI enviornment

Question

We work in a VDI environment and recently we received a major Sophos update which started a chain reaction of updating our clients, which put a MAJOR strain on our CPU bandwidth. This caused EXTREME lag on our other clients and prematurely ended other peoples sessions. My boss tasked me with finding a solution as quickly as possible. 
 My question is, can we change/add a policy that does not push out the update until we update the gold image which would then go out to the client pools? 
 I am currently using Enterprise Console 5.2.2 with Sophos Endpoint Version 10.6.4.

QC · Accepted Answer

Hello David Levine, 
 minor correction: a policy (or the server) does not push out the update . Endpoints check regularly for updates and download them. Now, a specific update location ( ...\CID\Snnn\SAVSCFXP\ ) always contains only one version, which one is determined by the details of the Subscription (pane on the left in the console's Update Managers view). The SUM in turn checks the Sophos warehouse (interval or defined schedule), and whenever updated contents are available it downloads and distributes them to the update location. 
 In order to avoid "sudden updates" you have to use a Fixed Extended subscription (please see the article for details). 
 BTW: Please consider upgrading SEC - 5.2.2 is already retired and furthermore it can't manage all the features in 10.6.4, let alone the forthcoming 10.7.2 
 Christian