su (short for Switch User) is a binary executable. It’s used by Android and other *nix based systems to allow a process to change the user account it is associated with. The reason it’s important from a rooting standpoint is that
su without any other parameters will switch to the root user, meaning that processes that require root permission for their functionality need to invoke
su (since by default they are not being run by root).
Superuser is an Android application (.apk is an Android application package). It works as a sort of “gatekeeper” to the
su binary. Applications which attempt to invoke
su will be forced to route through Superuser, which will then prompt the user if it is an unknown or new application. The user then has the option of approving or denying the access to
su and optionally having Superuser remember their decision so it can automatically apply it for subsequent calls by that app. By doing this, the only apps which are granted root permissions are ones that the user chooses.