I have the same question. For now I use the HealthChecker.ps1 script
From MS mail:
Q: Is there a method I can use to determine which of my Exchange servers can install the security updates directly, and which will need to have a supported Update Rollup (UR) or Cumulative Update (CU) installed first?
A: Yes. You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates.
https://github.com/dpaulson45/HealthChecker#download
It also shows if patch is installed in the txt file under Exchange Information