Managed to answer my own question.  Not including scriptSigs in the hash leads to a vulnerability where an attacker broadcasts a modified version of a block which contains too many sigops, causing a node to reject a valid block as invalid.  I conclude that the transaction hash for the merkle root must include scriptSigs, however it should be okay to use a different mechanism to compute the transaction id.