Frater,
I think you may be right about the Windows Update patch doing this. Unfortunately, there isn't any good way around this if that is true.
I tried starting an image from scratch and updates are turned off until you go through the control panel to turn them on. Once you turn them on, it goes out and tries to patch the update agent with the most recent patch before it will load any other updates. So in order to get the all the current patches on the image, you need to install that Windows Update patch.
There really has to be a way to get them turned off post deployment with a provisioning action, but I haven't found it yet. I'm going to get a case opened with Microsoft and will post back if I get anything from them.