WSUS is easy to manage and would ensure that your laptop users get patched the moment they arrive on your network.
Secondly, if these users are off the network that often do they really need to be in your AD structure? If not then I would begin setting them up off the network with a VPN solution so the users would still have access to the domain if and when needed via user authentication.
Third enable, if you have not already done so, automatic updates on those client machines so when off the network it will go out and connect to get all critical patches.
If none of these seem to be viable for you, another method as mentioned above and its more work than its worth is to copy all said patches to dvd, CD, or make a website that the users can get to via VPN and will be able to see all the patches released for said month and click a link to get them. My site uses this sort of web interface for off site users along with not having them on the domain and enabling the automatic updates clients.
Hope those help.
-Cheers-