Microsoft has mandated that AntiVirus vendors set a reg key in their software; this will show which vendors have updated their software and those who have not; apparently, current AV engines won't stop Meltdown or Spectre. If the reg key has not been set and you're running AV software other than Microsoft's, you will not receive January updates or subsequent updates.
I've been reading that firmware/microcode will be updated by hardware manufacturers and, therefore, should be installed.
A strategy we're employing is to install patches on a few servers and see what happens - making a snapshot first, of course. Then if all goes well continue to roll out patches.
The overarching theme is to patch now and continue patching, which I presume means keep patching until the current afflicted hardware is replaced with CPUs that are not susceptible to these two flaws. This brings up a number of questions in my mind, however.
Anyway, if you would like to review a brief guide on how to protect your machines follow this link: https://thehackernews.com/2018/01/meltd ... tches.html
Hope this helps.