Generally, prepared statements are roughly the same as stored procedures, so they're handled very well indeed. The optimizer can create an execution plan that is reusable across multiple iterations of the statement, regardless of values passed. The parameters can be sniffed, sampled, to get more accurate execution plans (and yeah, parameter sniffing is a good thing most of the time). In short, prepared statements are an excellent way to go. They're safer than inline values since you're still dealing with parameters and can avoid injection attacks. There just isn't much to complain about with these things.