in addition to Malcolm's reference to SMT, you may also want to look into using SUSE Manager (which is a payed-for product you'd need to license, unlike SMT) if you're running an over-all larger number of servers and/or need more support for release life-cycle control.

There are different levels of "not connected to the Internet". I. e. if you just have these servers behind a cascading firewall and limiting their connections to "internal" systems (put permanently available), then a single SUSE Manager server should be fulfilling your requirements. (your servers all go to SUSE Manager and SUSE Manager serves what it pulled from SUSE servers, aka "upstream").

If you have a stricter policy, barring your restricted servers from network access most of the time, you could set up a so-called "ISS" server (a SUSE Manager with according configuration), which needs to be *triggered* to pull its patches from an upstream SUSE Manager server. You'd place the ISS server alongside your restricted servers, these will fetch their updates form that ISS server. On occasion, you'd open up the link so that the ISS server can pull updates from the upstream SUSE Manager, then close the link again. No automatic pulling in of things, but full control. And you're still able to maintain all basic functions (like providing your channels of *tested* versions, organizational configuration and so on) via the master SUSE Manager (and have those pulled by the ISS server as well).