What's happening to you is that the iOS device is not checking for the update at the time it is connected to those networks and only when it is connected to the network with the blocked sub domain.
Not exactly certain how the device would NEVER check for the update when I am at the office for 8 hours at a clip or never check when I am out and about.
But - ironic twist - as soon as I typed that update earlier this morning - while I was here at the house on my WIFI network - I suddenly got a badge on my phone!
Found out that my phone was connected via our D-link network extender (which gives us better coverage on the top floor of the house) AND Not our main router WIFI.
Even tho I have this device listed amongst the group of devices (by MAC address) that I want to be BLOCKED from mesu.apple.com on the router - this device still seemed to reach the update destination somehow and now I am "infected".
Can I just delete that XML file to get rid of this crap?
And any tips on blocking the extender so it cannot reach mesu.apple.com?
Sonic.