According to published reports, the vulnerability was reported to Microsoft in April and "a fix for this vulnerability has been completed", but there's no patch release date mentioned at this time. Exploit code is available.
From the Security Advisory (961040);
What systems are primarily at risk from the vulnerability?
"Clients and applications that utilize MSDE 2000 or SQL Server 2005 Express are at risk of remote attack if they have modified the default installation to accept remote connections, if they allow untrusted users access to MSDE 2000 or SQL Server 2005 Express, or if an application that uses MSDE 2000 or SQL Server 2005 Express has a SQL Injection vulnerability.
All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability. In addition, Web applications with a SQL Server back-end database are at risk if a SQL Injection vulnerability exists".