You can even have a free SSL certificate for your site that is accepted by every major browser. You can get it at StartSSL.
One certificate is mostly for the root domain (foo.com) and one subdomain (www.foo.com) at least at StartSSL I know that for sure but I guess that would be the same for namecheap.com.
In particular, can anyone tell me what the difference is between "Positive SSL" and "Essential SSL"?
For your purpose, the fact you one it for one app (and assuming on one server), they are exactly the same.
I can speak from experience that if you purchase PositiveSSL - you will be covered for both
example.com, even though it's the cheapest.
I'd be a bit leery of the comodo certificates -- they were hacked pretty recently and are not exactly trusted. Geotrust is a better option.
By "not exactly trusted" I mean they are hard to trust -- the fundamental underpinning of the system that SSL uses is the people with trusted root certificates will not have issues like Comodo had last year. Now, I will say Comodo handled it pretty well all things considered. But it should not have happened in the first place. Why go with someone who was compromised when there are other options out there.
Rather than worry about handling multiple hosts on one cert, you might be better off using a different virtual site listening to the non-ssl traffic on your site to redirect everything to the single HTTPS host you are using. This is a win in multiple ways -- gets everybody on the right url and on SSL. Lazy users don't get errors when they forget the https prefix.