Talk about media hype and anti-MS sentiment, John Leyden writes an article in todays register MS (finally) confirms unpatched SQL Server flaw -> http://www.theregister.co.uk/2008/12/23/sql_server_0day_latest/.
At the end of the day, in order to exploit the problem you need to either a) give the hacker access to your SQL Server to login or b) have so badly written your own application that it is subject to SQL injection attact. In the real world neither of these should be possible if people have done their jobs properly.
The real bug is with the extended stored procedure sp_replwritetovarbin and sec-consult have a good write up here: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt.
Realistically the product is pretty dam sound - how many security exploits have there been on 2005 and 2008 compared to its user base, if you refactor other vendor flaws against the use base rather than licence income then the picture will be clear who has got their code review right.
Tony