If you want to stay with the classic "Update Manager", I'd suggest you create a new, individual patch baseline with only the latest ESXi rollup bulletin in it, unassign the 2 predefined baselines (the ones in the screenshot), ans assign the newly create one. Since ESXi patches are cumulative, the latest one contains all previous ones.

That said, you may also consider to switch the cluster from Update Manager to the new Live Cycle Manager. This will allow you to define the desired state for the hosts in the cluster, which includes VMware patches, as well as the HPE patches (Add-Ons). Even individual components - if needed - and firmware can be patched using vLCM. For the firmware patches however, you also need additional HPE tools like the iLO-Amplifier, ...

Setting up and maintaining additional vendor tools may however be overkill for a small environment. That's why I usually run the firmware updated using the latest SPP.
Hint: Prior to running the SPP update, update the iLO firmware, and the hosts's BIOS from the iLO interface. Not only that the latest available iLO firmware, and the BIOS is newer that that on the SPP, but with the latest iLO firmware already installed, there will be no interruption of the iLO interface while updating the remaining firmware.

Unless you are running a really old firmware on the hosts, it shouldn't matter whet is updated first, SPP or ESXi. I usually go with firmware updates first.

André