The update would be a new certificate, and the old one would still be marked as untrusted (unless it was deleted by the update). Even if you mark the old one as untrusted the new one would work regardless (i.e. there's 5 Verisign root certs in Lion - 2x class 3s).

I doubt root cert updates are an update to the entire set (at least that's what I would hope) - less chance of breaking something else in the process.