How do I setup an apt mirror that only gets security updates?

I maintain a few dozen servers all running Lucid. Setting up a local mirror is probably a good idea anyway, but I also have a unique need.

The (ec2 instance) servers are all configured to get security updates only. That's how I want it. The problem is that when I create a new server/ec2 instance and download packages, those packages are completely current and out-of-sync with the rest of the cluster. I can use Chef to pin explicit package versions, but then minor updates will make whatever we pin unavailable.

So what I'd like to do is this... I want an apt mirror that mirrors the Lucid repository, but only gets security updates, not regular ones. Then by pointing all my servers to that mirror, I can keep everything running the same version, but also avoid unnecessary updates.

Setting up a mirror itself with apt-mirror seems simple enough, but what I'm missing is how to make sure the mirror only does security. How do I setup an apt mirror that only gets and propagates security updates? I feel like I'm missing something obvious.