[You don't need to have your sql instance in the DMZ. You would need to have your webserver in the DMZ but keep your data inside. Then you configure your firewall to allow traffic from the webserver to the sql box.
That what the setup is for the majority of the websites but for a couple the data is also in the DMZ.
It obviously changes the security model a little not having AD on there and retrieving data about the instance a little more difficult but apart from that is there any reason why it really shouldnt be in the DMZ?