This disclosure describes techniques for providing users of services provided by network-based service platforms with additional control for approving patches that are to be deployed to computing resources that support their services. In some examples, the techniques include generating and using a “snapshot,” or list, of patches that are preliminarily approved for deployment. Prior to deploying the patches to the computing resources, users are provided with access to the snapshot and are able to modify the snapshot. For example, users can modify the snapshot by adding patches, removing patches, specifying a sequence in which the patches are to be deployed, and so forth. The snapshot of patches may be “frozen” for a period of time, meaning that patches that during the period of time, only patches in the snapshot are deployed, and patches that are not included in the snapshot are not permitted to be deployed to computing resources.