None will protect against a replay attact.
In the first case, all the attacker has to do is adjust the timestamp.
In the second case, since H() is not supposed to be secret and since the timestamp is known, and attacker can also adjust the request by creating a valid H(timestamp). There is also the problem that you need to synchronize the client and server so that they both have the same timestamp value.
The best way to prevent replay attack is to use challenge-response (there are other ways to do that, depending on your needs).