The Windows Update client can be configured to perform installations at odd hours. Combined with a solution to do Wake-on-LAN you can get update deployment to occur outside of normal hours fairly easily. (We use some scripts to do this, but there are probably off-the-shelf solutions, too.)
WSUS has been exceedingly reliable for me. I'm particularly fond of the reporting functionality in locating computers that are not receiving updates properly.
The Windows Update client is easily manageable with group policy, so that makes us very happy, too.
There are third-party and Micrsoft products (SCCM, comes to mind) that do more than just operting system patch management. I don't have any experience to relate about these. These products look to be priced out of the ballpark for the size of Customers I'm working with. (We've usually handled patching applications via startup scripts or re-deployment of patched software assignments thru GPOs...)