When you upgrade ISE you will always start with the secondary PAN, once that is upgrade it will become the primary PAN, and then the upgrade will carry on upgrading the old primary PAN. This whole process will cause a brief disruption only for the new sessions that will be sent to the second PSN at the time its services are being restarted, however, it won't affect the sessions that have been already authenticated/authorized. One thing you could do if feasible would be to remove the the second PSN from the RADIUS servers list on the network devices, and then put it back on the top once the upgrade is completed on that node. And then remove the other PSN until the upgrade is finished and put back on the list.

We have a 2 unit node like you describe and we really don't see disruption. You may see some auth latency as a device may need to see it down before it uses the second one. We still patch in weekend maintenance windows for safety, but I have not see auth go down.

For a patch, we see the primary patch and reboot first, once up we see the secondary node patch and reboot. what we do see is since our secondary is primary MNT, we loose live logs while it's down.

If you patch from CLI, you will have more control over which node to be patched first. You can start wit the CLI of the Secondary and patch it and then it will reboot.
Once the Secondary is up and running after the reboot, you can start with the Primary ISE node from the CLI. 

There should be no outage, unless if any of the NADs (wireless/switches) is configured only with a single ISE server instead of both ISE servers.