Bad Habits to Kick : Using EXEC() instead of sp_executesql

See why you should use sp_executesql instead of EXEC() for running dynamic SQL strings.