Is the application using functions (or anything else) in other databases? If you granted db_owner to the login in the application's database, the login can use any table, procedure, function, etc. in that database. You should never, ever give an application login sysadmin privs - it's a bad idea and asking for disaster. The only users with the sysadmin privs should be the DBAs.