Yep you have it right. Every time you want to update a template that's stored in the CL you have to:
1.) Deploy a new VM from it.
2.) Patch said new VM.
3.) Upload VM back into CL.
4.) Let new VM replicate to subscribing libraries from scratch (optional).
This process is due to the lack of two, in my opinion, critical features that *still* exist today even in its third iteration:
A.) Lack of support for native vSphere templates.
B.) No ability to delta synchronize bits within.
Hopefully one decade these features will finally be available. Until then, such a ridiculous flow will be necessary as long as you use CL.