Compare two ZTIWindowsUpdate logs with this script to see which patches added and removed
The standard MDT step called "Install Windows Updates" calls ZTIWindowsUpdate.wsf script that essentially installs all updates from Microsoft Updates site. I, personally, recommend this method when building your golden images.
Now, when somebody asks you, what has changed, the answer "the image was updated with latest patches" may not be sufficient. The attached script will compare two ZTIWindowsUpdate.logs - the one you have from previous build and the new one and gives you two lists - the list of patches that were added and the list of patches that have been removed. Now you are in control what gets in your images and what gets removed.
Usage: cscript ZTIWindowsUpdateLogCompare.wsf /OldLog:<Old Log File> /NewLog:<New Log File>
Thank you for using my work.