When a server gets rooted (e.g. a situation like this), one of the first things that you may decide to do is containment. Some security specialists advise not to enter remediation immediately and to keep the server online until forensics are completed. Those advises are usually for APT. It's different if you have occasional Script kiddie breaches. However, you may decide to remediate (fix things) early and one of the steps in remediation is containment of the server. Quoting from Robert Moir's Answer - "disconnect the victim from its muggers".

A server can be contained by pulling the network cable or the power cable.

Which method is better?

Taking into consideration the need for:

1. Protecting victims from further damage
2. Executing successful forensics
3. (Possibly) Protecting valuable data on the server

Edit: 5 assumptions

Assuming:

1. You detected early: 24 hours.
2. You want to recover early: 3 days of 1 systems admin on the job (forensics and recovery).
3. The server is not a Virtual Machine or a Container able to take a snapshot capturing the contents of the servers memory.
4. You decide not to attempt prosecuting.
5. You suspect that the attacker may be using some form of software (possibly sophisticated) and this software is still running on the server.