Now for the good news: zone update on attach all suggests something very similar, all attached zones will be in the same state as a newly installed zone, not only updating packages with "SUNW_PKG_ALL_ZONES" set to true in the package. I have no idea when this will be implemented and/or available in S10, but it's something that could make life easier for people with large zone deployments. If it only could be released as a patch for the current Solaris update release, and not a patch as in you must patch your way to a whole new update.
From PSARC/2010/082:
"The current behavior of zones "update on attach" [1] with the "native"
brand using SVr4 packaging is to update the minimal set of packages
needed to make the zone usable. This is specified with the -u option.
We have heard from many users that this is not meeting their needs
or expectations. Instead, what they want is to update the maximal
set of SVr4 packages. That is, they want to update the same set of
packages as would be installed in a newly created zone so that they
can compare an updated zone to a new zone and see that they are
the same [2]. This case adds a new attach option, -U, to the "native"
SVr4 branded zone so that users can use "update on attach" to update
all of the packages as would be installed into a new zone."