[Updated: 3/23/06: Welcome Digg users. If you are interested in information security, please check out the rest of this blog, as well well as my team's blog and our threat modeling blog. Happy digging :)]
This article is a good read. Generally, most of the things highlighted in the article are things that we don't run up against at Microsoft. Our default SQL Server configs in Microsoft IT are pretty solid. We do see the occaisional SQL injection bug, but usually it is fixed quickly. To address the SQL injection issue, we generally don't allow dynamic sql at all, and stored procs are the order of the day.