A question that was often raised after the launch of Windows Server 2008 was about Server Core and our Security Bulletins: How do you know whether a Server Core installation needs updating as well? We just added a statement to our Security Bulletins this month answering this question. As an example in MS08-036 we state under Affected and Non-Affected Software: Supported editions of Windows Server 2008 are not affected if installed using the Server Core installation option and in MS08-035 we state: For supported editions of Windows Server 2008, the same severity rating applies whether or not installed using the Server Core installation option.
I hope this helps to make your life a little bit easier
Is there any best practices or whitepaper on how to best apply/install security patches?
yes, there is some content on microsoft.com:
There is a whole site dedicated to Security Update Management: http://www.microsoft.com/technet/security/guidance/PatchManagement.mspx
In addition MSIT (our internal IT) shows how we do Update management at Microsoft from a server and a desktop perspective:
This is the server side: http://technet.microsoft.com/en-us/library/bb735249.aspx and Dekstop: http://technet.microsoft.com/en-us/library/bb735139.aspx
Hope this helps