The first concern I see is doing the updates during the initial install of Windows. If you are connected to the Internet to do that your Windows install can (will?) become contaminated. Of course you could clone the off-line install to another connected machine, run MBSA and download the necessary patches, verify the patches to be clean then manually transfer them to the off-line machine and install them.
How about running your Windows install as a virtual machine on the Linux host? Here is how to set this up to work using the free VMWare Player.
1 - configure the Linux host swap as an encrypted partition (in case of leakage from VMWare Player).
2 - create a True Crypt container to hold the files for the VM.
3 - install Windows into VMWare Player. (You can turn off networking while doing the install.)
4 - install anti-virus and other protective software into the Windows VM.
5 - enable networking on the VM and install updates, virus definitions etc.
6 - shut down the VM and archive a copy of the files from the True Crypt container
7 - start the Windows VM and do whatever naughty business you need to do
with or without networking enabled
If (when) the Windows VM gets hosed, contaminated or whatever, copy the files from the archive back to the True Crypt container.
The second concern... I think that Live CDs may use available hard drives for swap space. I am not sure but if you are concerned about leaving traces you might want to double check.
Ken
p.s. Windows can be run from a CD/DVD - look into Bart-PE or Hawk-PE. I cannot comment on the licensing status of these products (well not favorably at least).