There are actually more "types" of SBOMs than the two you mention. I don't think CISA has published the corresponding table yet, but depending on the point in the software lifecycle that you are, you can create "Design", "Source", "Build", "Deploy", or "Analysis" SBOMs -- and they are all for different use cases,
