Regarding scheduling of updates - that's entirely up to you. There was an awesome post (https://thwack.solarwinds.com/docs/DOC-175651) just made by travis.fenton.41 which calls out how to handle these schedulings if you want to utilize Patch Manager. I know that you saw it!
Regarding your KB2949927 difficulty, it looks like this falls into the "This #*$&@ patch broke my computer" file.
Microsoft's latest on that KB is this: http://support.microsoft.com/kb/2949927
The security update that is described in the security advisory was removed from the Download Center because of an issue with the update. Microsoft is researching this problem and will post more information in this article when the information becomes available.
In the most technical sense, this update has been expired by Microsoft. The PowerShell script that I called out above, which runs after each synchronization, declined this update for my environments specifically because Microsoft "expired" it.
Regarding Credential Rings: you can use a local admin account for your non-domain devices - you just need to define it differently. I've edited the "default" credential ring and added a ".\Administrator" account to it. Then I assigned that particular account as a Local Admin (Second Option). This means that whenever Patch Manager tries to contact something, it will start with the Local Admin account. If that fails, it will try the next level (or the <Default> if you have that defined). Technically, this means that your on-domain devices will also be attempted first with the ".\Administrator" account as well. That's ok in most environments because either the Admin is disabled or it's been renamed.
Specifically on your final thought, the proper answer is to keep running the updates until there are no more. I'm sure that in a perfect world there would be a time and place where you could install patch "B" along with security roll-up "A" for a specific product, but the detection algorithm that works within the Windows Update Agent isn't flexible enough to handle this at present. The best way to avoid it is to have the systems regularly run the updates.
I hope that I haven't muddied the waters for you any more than is strictly necessary and I hope that it helps you out. If you want to speak more on this, feel free to contact me via direct message and maybe we can look at some stuff together.