Patching order for sql server 2017 for cluster and AG

Best CU patching order for cluster and AG So i have a physical active passive cluster which has a RO AG node on vmware. Going to apply SQL 2017 CU 24. I believe the order would be to do the RO node first (it is a manual failover). after stopping sync, then do failover node, then restart primary to move to failover node and finish former active node. Sound right?