When do I use IPsec tunnel mode or transport mode?

From Cisco: http://www.ciscopress.com/articles/article.asp?p=25477

Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host—for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual destination.

So what ARE the differences:

Tunnel mode protects any internal routing info by encrypting the IP header of the ENTIRE packet. The original packet is encapsulated by a another set of IP headers.

• NAT traversal is supported with the tunnel mode.
• Additional headers are added to the packet; so there is less payload MSS

Transport mode encrypts the payload and ESP trailer ONLY. IP header of the original packet is not encrypted.

• Transport mode is implemented for client-to-site VPN scenarios.
• NAT traversal IS NOT supported with the transport mode.
• MSS is higher

Transport mode is usually with other tunneling protocols (GRE, L2TP) which is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.

EDITED:

Here is a detailed read on the differences from Microsoft: http://technet.microsoft.com/en-us/library/cc757712%28v=ws.10%29.aspx