Anything that concatenates user input into a string and executes the resulting string is vulnerable. That includes user input that got stored in the database and then used to build a string.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability