Patching with Puppet
Solution 1:
Patch management is a very broad topic that can have variables like company policy. Therefore there is no out of the box solution that fits all needs, and therefore, puppet only comes with the tools to create solutions that match your specific requirements.
For Rpm or Apt based Linux, all you need is custom repositories, which can be created by rsync, or mrepo, or Satellite or Pulp. Then use puppet to point your servers to these repositories. Puppet can then use Rpm or Apt to manage packages for you. (Check other pages on that site)
Pulp also lets you track what RPM packages are present on what servers, and install them remotely. You could use puppet to install and configure Pulp on your servers. Pulp is a new and not so mature product btw. The features that pulp offers could by built using puppet with some thought and effort.
For Solaris, if it's an individual package, you could use the "pkgadd" provider.
To selectively install multiple Solaris patches, or to install "all the latest" patches, you could use an external script along with puppet "Exec".
There is a popular open source script that people use to manage patches on Solaris. PCA. With PCA, you can create internal mirrors of Sun patches, and configure servers to use those mirrors, instead of going out to the internet.
For installing Solaris packages, you can use the "bldcat" tool from OpenCSW to build internal package repositories. Then you can use "pkgutil" in Puppet to install your internal (and CSW) Solaris packages.
Your architecture then becomes very similar to Linux + yum or Apt.
Solution 2:
Solaris (at least up to and including 10) is a little different to Linux in that it has "patches", wbich aren't the same as "packages". So, to provide some information about what you could do in Solaris:
At a very basic level, you can tell Puppet to do something onlyif
an external command succeeds, or unless
an external command succeeds.
So thinking of this in terms of Solaris patches, you could write yourself a little module to ensure particular patches are installed. That module would check (eg. by parsing the output of "showrev -p", or perhaps grovelling around in /var/sadm
if you're confident) that the patch isn't already applied, before applying it.