>Finally I decided for that option. It has another advantage, about the data types.
And if you look at the command that gets sent to the server (you can do that in the profiler), you'll see that it translates into an exec sp_execsomething with all your ?-prefixed variables passed as parameters, and replaced inside the command as @p1, @p2 etc. Which is exactly why it is a good safeguard against SQL injection.