Hi
It is good practice if at all possible to not allow connections from the DMZ into your internal network. Obviously this is not always possible but if you can avoid i you should.
If the SUS server can push updates to the web server in the DMZ that is preferable to the web server contacting the SUS server.
Otherwise as you say you can deploy a SUS server in the DMZ which is then used to update the web server.
HTH
Jon