I'm back and Server Updates

Well, I'm back from a nice Christmas break with the family. It's nice to be back at work and away from all the endless chaos that exists around my family and my wife's family. I'd much prefer the chaos that is Microsoft Server 2003. For a year now I've adjusted my schedule to come in early to apply Microsoft security updates once a week. I document the updates that I install in a Excel spreadsheet that sits in our documentation folder on the file server. That being said, I pretty much just install every patch that comes down the pipe. I don't have the luxury of having test servers or a test network that I can run the patches on first. After a year of this, I'm wondering if the bags under my eyes are worth it. At some point this year we will probably be purchasing a IPS to guard to entrance to our server farm. We will probably go with Enterasys Dragon because of our current investment in Enterasys hardware, but I've also had great success with TippingPoint as well. Any competent IPS should have Microsoft's security holes in it's signatures so any attempt to exploit them that way would be blocked....right???. Does anyone have any suggestions for a better way to manage the large security hole that is Microsoft???
-PC