Good question, but the answer leaves me a bitter. I assumed Stored Procedures were in use with proper parameter types. (which is what I use). So SQL injection would not have occured. Then I get to the answer and find out that I'm wrong "IF"... arg. 🙁 Perhaps clarify the question?
This is a currently common SQL injection attack. If the web page does not use stored procedures, but instead uses dynamic SQL, this is a valid SQL 2005 command (there are versions for SQL 2000), and might execute.
*EDIT*
My apologizes bitter was a harsh word, maybe its cause I was doing so well with the QOTD. Either way this caused some brain action and for that thanks!