dynamic sql is also more susceptible to sql injection. you might find it cleaner to have 2 queries with different formatted where clauses and an if statement that chooses which sql statement to run.