Just out of curiosity, what's preventing you from moving forward with BSA to do the patch analysis? It would really make this task a breeze. All you'd have to do is put the QNUMBERs of the patches in a text file and use that as an include list in your Patching Job to run the analysis. If case you didn't know, you don't have to apply the patches, you can just analyse them to get what's missing if that's all you need.
It takes less than a day to setup (including the initial catalog update), and would save you days of work.
If you still don't want to use BSA, I wouldn't do it this way at all as it's way to complicated for nothing. If you have an XML and this is for Windows, I would use a Powershell script to loop through it and check if each patch is installed. You can still call the powershell script using BSA and NSH if you wish...
Yes, that's what I wound up doing Yanick. I always try to use the BSA data inherently before I consider creating Extended Objects. But, in this case, as you mentioned, it seems extremely complicated, if not impossible.
Note: I have no control when the Organization is going to move to BSA for Patch Management and was told it's probably a year away.
Sometimes it's just a matter of missing information. The patch management module could still save a tremendous amount of time by allowing you to scan servers for missing patches. You don't have to fully deploy the patches, you could only use it to analyze missing patches, and that takes no time to setup. It also wouldn't take any space on the file server because you don't have to download any patches to analyze them (until you decide to remediate/install the patches, if you ever do so). I would really try to sell that if I were you. If anything you propably spent more time working on that powershell script than it would have taken you to setup a quick patch catalog.