All right, I'll try to explain this.
The Exchange provider works on the Exchange Information Store level. This means that (at least in the case of Exchange 2003) it is guaranteed to be called before any object from the Store is accessed by the user. Object doesn't mean emails only - also includes Public folder items, contacts, schedules, TODO lists, schemas etc...
On the other hand, the MS SMTP provider works as a filter on the SMTP stack. That is, it scans each and every (inbound and outbound) message as it passes through the SMTP layer (please note that some messages, e.g. messages sent from one mailbox to another on the same server don't reach the SMTP stack at all).
From what I said above it might seem that the Exchange provider can do everything that the SMTP provider, and more. This is basically correct if we only consider the number of files scanned. However, since the Exchange provider is based on the Microsoft Exchange VS API (Virus Scanning API) it is limited in certain ways (these limitations are given by the API itself). For example, the Exchange plugin cannot be configured to delete the infected objects from the emails (just overwrite them, which might be sort of confusing for the user).
So unless you have a really high performance server (with very high throughput requirements) I recommend having turned on both of these shields (and live with the fact that some items are in fact scanned twice). As they say, better safe than sorry.
Thanks
Vlk