See why you should use sp_executesql instead of EXEC() for running dynamic SQL strings.