Check this place for starters -- Getting started with Patch Reporting (SQL, Tables & such) -- that'll teach you where to look to begin with.
Second ... what is you need. There's a BIG difference between needing to know what's PATCHED and what you ARE and ARE NOT vulnerable to.
One doesn't necessarily require the other, as it were.
By default, we'll provide you a pretty easy accessible list for all things you're vulnerable to as part of inventory.
If you want to include a list of things that you ARE NOT vulnerable to (and why we believe you're not vulnerable to them), you'll need to run "Gather Historical" against your estate <check the program-group looking drop-down in the patch & compliance section> here:
... and configure it to suit your liking. This will then add a NEW part to the inventory tree called "Patch and Compliance definitions" (and populate the COMPUTERVULNERABILITY table if you want a direct source) with the data about what is & what isn't vulnerable to & why (based on your configuration).
Detected value of "1" == yes, detected.
Detected value of "0" == "nope - not detected".
That should be plenty to start.