The recent slate of attacks on IIS servers don't seem to be an attack directly against IIS or against SQL Server itself. In other words, they aren't going after vulnerabilities in the server product (either one). Rather, the attacks are targeting weaknesses in the web application which permit SQL Injection attacks. More here:
The moral of the story is make sure your web application has solid input validation. If the input was properly handed, the SQL injection attacks would fail. If you're using software that either a large community uses or that you purchased, don't assume it's safe. For instance, a few months ago I took a look at an application a business associate of mine had purchased. Within a couple of pages it was obvious the author had done some input validation to trap whether or not a value coming in was an integer, for those fields which should have been integers, but did absolutely no checking when it came to string values.