What we used (Stuck in a Windows place at the moment grrr.) was apt.
Rather than patching libs and binaries, we created packages of one lib, one binary etc.. and used apt to handle dependancies. We could handle partial upgrades etc. without breaking things, and knew if we updated a program that required a particular version of a library things would be handled smoothly.
Also we had one server in each section ( Development, Testing, Live ) be the keeper for that enviroment, and all the other machines update from the one in their stage.
It worked well, we had a nice tool that was developed as well so it would check the build enviroment and create the packages for us. Wish I was still using it