There are three user IDs associated with a process. Real user, effective user and saved-set user.
If you run a suid root program, the effective user is root, while the real user is your regular user. A program like passwd allows you to change your own password but not another persons. The program needs to be root to edit /etc/passwd or /etc/shadow, however it also needs to know which user called it.
Another program may need to start out as a system user, switch back to the original user (real user) and later back again as the system user. This is what the saved-set user is for. When a system user executes a command on our behalf, it calls suid to change the effective user ID to our UID. But under these conditions, the saved-set user ID is not changed. After the program (such as a filter is finished) the program runs "geteuid" to change the effective UID back to the system user. This is allowed because the saved set-user-ID is the same system user. This allows a program or service to drop privileges when not needed.