Microsoft Security Advisory MS02-020 - Microsoft SQL Server 7.0 and 2000 contain buffer overflows in stored procedures which allow remote attackers to execute arbitrary code in the security context in which SQL Server is running. An attacker could exploit this vulnerability in one of two ways - the attacker could attempt to load and execute a database query that calls one of the affected functions, or if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. Microsoft FAQ on this issue available here.
e9aa37ecfa4622fac79e02caae7328ee79458d9a6c012915da1dea341479db03