I tend to err on the side of caution - I'd never expose SQL directly to the net.  A VPN using the standard MS PPTP connections is very easily configured at both the server and client ends...  This is by far more secure and helps ensure that any future exploits for SQL don't find their way into your network.

You could, if desired, make use of the features of your NAPT firewall to have SQL use 1433 internally and appear on a different port externally - security through obscurity   I do this for Terminal Services - rather than exposing 3389 for a single server to the net I'll map something like 4001, 4002, 4003 etc each being pointed at a different internal IP address for port 3389.  The less of your network that is exposed, the more secure you are (generally).