Given each controller is secondary for the other site:
I would pre-download the 17.9.4a code to existing WLC and pre-download to the APs but not swap/ activate the image
Then build up new VMs
Have the config on them
Shut down Site As WLC
Turn on 17.9.4a WLC for Site A and change IP to be same as old WLC (ensuring it already has the config on it including tags if using static tags)
Fail Site A APs back to it, APs will reboot to change image and experience approx 5-15min outage
Would then fail Site B over and have same outage
Replace Site B WLC Fail back
Now point to note, could split the two but if primary WLC failed all APs would fail over and have to swap image and cause 5-15min outage - but that comes down to the risk appetite
*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***