Installing errata on Satellite Server

Satellite-maintain 'locks' packages to help prevent installation of new software on the Satellite server which might introduce problems, making Satellite a bit like an appliance. This includes installing errata. Our security department is dinging me about a few CVE's that are being detected on the server and I'd like to install errata indicated by the corresponding RHSA's.

Documentation for installing errata on the Satellite server is not very extensive. Basically it says to run 'satellite-maintain packages update', but this results in updating EVERYTHING and is accompanied by a big warning stating that this should only be done prior to upgrading Satellite to a newer version, so I'm not really sure that this should be the proper course of action.

I'm really just looking for the equivalent of 'yum update --advisory RHSA-yyyy:####'. What's the best way to handle this? I've been running the commands to unlock, update, lock followed by satellite-installer (and a reboot if a new kernel was installed):

#satellite-maintain packages unlock
#yum update --advisory RHSA-yyyy:####
#satellite-maintain packages lock
#satellite-install

Is there a better, or more proper way?

thx