The recent slate of attacks on IIS servers don't seem to be an attack directly against IIS or against SQL Server itself. In other words, they aren't going after vulnerabilities in the server product (either one). Rather, the attacks are targeting weaknesses in the web application which permit SQL Injection attacks. More here:

• MSRC: Questions about Web Attacks

• Bill Staples: SQL Injection Attacks on IIS Web Servers

• SANS Internet Storm Center: Hundreds of thousands of SQL injections

The reason we're seeing infections on such a large scale is the attackers have been able to automate the attack. This isn't altogether surprising considering the techniques to detect whether SQL injection is successful are rather well known and can be coded for. As to what the injections are doing... basically they are inserting JavaScript which causes the download and execution of a particular file. That file tries a number of exploits against the local computer to attempt to compromise it.

The moral of the story is make sure your web application has solid input validation. If the input was properly handed, the SQL injection attacks would fail. If you're using software that either a large community uses or that you purchased, don't assume it's safe. For instance, a few months ago I took a look at an application a business associate of mine had purchased. Within a couple of pages it was obvious the author had done some input validation to trap whether or not a value coming in was an integer, for those fields which should have been integers, but did absolutely no checking when it came to string values.