My 2c and a dash of common sense: The role of the server doesn't matter; it needs protecting.
It is not common that malware will have code akin to saying, "Oh you're an SQL server, I couldn't possibly do any harm or replicate there, I'll leave you alone".
Or even "I see you are a busy Exchange server, too busy for me to think about interrupting you... as you were."
If it's a Windows box, it needs anti-virus protection
Every server in the organization requires antivirus protection. The latest versions of antivirus products will run without compromising performance on the same hardware eligible to run SQL 2008, Exchange 2007 and Sharepoint. you may want to exclude sql database files and log files from on-access scan. the same applies to exchange. on exchange, we do not use e-mail antivirus (we do have file AV). it's done on the perimeter and on the clients. this is done to less complicate exchange server (damn sensitive) and also to save on performance. sharepoint also has special antivirus.
if you want to prove to management, install a windows pc, connect it to internet and keep it connected for few weeks. scan the pc after and see how many spywares and viruses popup. thats what I did (I did it to prove one more thing; that symnatec av (at that time) was not efficient in catching viruses).
avoiding few servers is not going to save you lot of money on the licensing side. we bought 101 clients eventhough our clientbase is around 80. above 100, per user license price is lesser than below 100. so its cheaper for your if you have more clients.
Hope this helps.
Answer: ALL OF THEM.
I have 208 servers (W2000/W2003/W2008)- currently all of them have 8.5ip8 on them (except our one W2008 R2 box) just purely because I haven't had the time to upgrade them (all my staff machines except W7 are at 8.5p8 as well) and will be moved onto 8.7 eventually too.
Ours include SQL, DCs, Exchange etc
All windows boxes are vulnerable unless you lock them down immensely- e.g. having a closed network with no external usb/ data storage devices allowed etc (which then becomes unusable to work with).
You can add exclusions, low risk processes for your servers to reduce any overhead.
Viruses and worms can spread throughout a network in a matter of minutes. Its no longer safe just to have the machine patched up to date with security fixes. You need protection.
Having seen all machines reboot on a network with the Blaster virus and machines getting remotely password hacked with an infiltration of Conficker. Anti-Virus software is essential.
As previous posts mentioned, all the servers would need an antivirus. A good question to enforce the need is to ask; can I afford having those servers down/unavailable/spreading malware if they are infected?
Potential performance issues can be dealt with by certain configuration changes. See KB for exclusions on Exchange server and other products.
If your tests results reveals that these changes are not enough, you can move to a more radical approach by not installing certain components. For example, you can install (silently) only On-Access Scan and AutoUpdate using the following command:
SetupVSE.exe ADDLOCAL=OnAccessScanner,AutoUpdate /q
More details available on product guide of VSE 8.7i p13 (English ver.).
I've seen this works well on servers where workarounds can not be made on i.e. Access Protection or BufferOverflow. However, you are loosing the additional protection provided by these components, so use it only when you have to and when it's in compliance with you internal security policy.