Agreed. Parameterized dynamic SQL using sp_executesql not only prevents SQL injection attacks, it also provides for execution plan caching.
__________________________________________________
Against stupidity the gods themselves contend in vain. -- Friedrich Schiller
Stop, children, what's that sound? Everybody look what's going down. -- Stephen Stills