When creating a dynamic SQL statement in SQL Server 2000 and up avoid using the exec() function. There is a system stored procedure that works better called sp_executesql(). Here is a link to Microsoft's documentation: (SQL 2005) http://msdn.microsoft.com/en-us/library/ms188001(SQL.90).aspx (SQL 2000)
http://msdn.microsoft.com/en-us/library/aa933299%28SQL.80%29.aspx