My opinion is that while AV software is the must on a file server, it is useless on a "well-configured" SQL Server, since the treatment goes to be worse than the illness.

By "well-configured" I mean:

1. it's used only as SQL Server (no file-sharing, no IIS, etc.);

2. the SQL Services are run under least privileged accounts;

3. it's locked down by Security Configuration Wizard (to disable all unneeded services, and leave opened only needed IP ports);

4. it's patched with critical security updates just as they released.

With such a configuration there's no way for a virus to come into a system, which makes AV software useless. Alright, there're 2 "but-s":

1. there might come up a virus which exploits unknown vulnerability;

2. not every company can afford such role-targetted servers.

As for the first, while there's such a probability, Microsoft has been doing well on this front for the past moths, and as a rule, they release pathes before the vulnerability is used by virus-makers; for the worst case one could use imaging backup software to quickly restore the system - anyway it would be less expensive than an AV software in terms of purchase, deployment, maintenance, support, server workloads - all mean money. As for the second "but"... well, the way out is consolidation and virtualisation of file-, print-, web-, infra- servers to free up a well-built box(es) dedicated to SQL Server only.

P.S. A couple of years ago, I went to a seminar of a famous AV company and talked to its analysts about usage their AV software on various servers. They said, while an AV software is really the must on a file-server, it's absolutely unneeded on a domain controller and on a database server, =if= 1. these servers are strictly dedicated to their roles; 2. they are promptly patched. Since then, I followed their advice, and the time just confirmed it.