EXEC vs SP_EXECUTESQL Performance

This is mostly a preference due to security and consistency, and has nothing to do with performance (though that may have been more of a concern in ancient versions of SQL Server).

Why use EXEC() some of the time when you should be using sp_executesql whenever you have parameters? EXEC() forces you to concatenate all of your variables into a single string, and this makes it ripe for abuse.

I wrote about this in more detail here:

  • Bad Habits to Kick : Using EXEC() instead of sp_executesql

I also wrote about protecting yourself from SQL injection here:

  • Protecting Yourself from SQL Injection in SQL Server - Part 1
  • Protecting Yourself from SQL Injection in SQL Server - Part 2

SQL injection is a pretty big deal, and plenty of other people have written about it too.

Finally, be sure when you call system procedures that you use the proper casing to match what's stored in sys.all_objects - it should be all lower case. Otherwise, if your code gets deployed to a case sensitive instance, it will all start failing.


First of all lets check what both commands mean:
sp_executesql: Executes a Transact-SQL statement or batch that can be reused many times, or one that has been built dynamically. The Transact-SQL statement or batch can contain embedded parameters.
exec: Executes a command string or character string within a Transact-SQL batch, or one of the following modules: system stored procedure, user-defined stored procedure, CLR (common language runtime) stored procedure, scalar-valued user-defined function, or extended stored procedure. The EXECUTE statement can be used to send pass-through commands to linked servers.

some of the main deferences:

  1. sp_executesql allows for statements to be parameterized, Therefore It’s more secure than EXEC in terms of SQL injection
  2. sp_executesql can leverage cached query plans, The TSQL string is built only one time, after that every time same query is called with sp_executesql, SQL Server retrieves the query plan from cache and reuses it.
  3. Temp tables created in EXEC can not use temp table caching mechanism.

References:
https://blogs.msdn.microsoft.com/turgays/2013/09/17/exec-vs-sp_executesql/
https://msdn.microsoft.com/en-us/library/ms188001.aspx
https://msdn.microsoft.com/en-us/library/ms188332.aspx

Edit:
I found the following article regarding the performance:
The performance is a matter of debate between these two methods for stored procedures. As its name suggests, sp_execute is itself a stored procedure, which stores in the system database. SP_ExecuteSQL must require passing SQL strings to it thus, excepted to showing higher chances of caching, consequently leading to perform better when run for the second or later on times.

In other words, its parametrized dynamic T-SQL encourages its reuse. Moreover sp_execute is supposed having higher chances for avoiding unnecessary compilation while executing a dynamic query over exec(). But some experts take it as misleading as they think for both methods a plan will be cached. In fact, for the non-parametrized queries of SP_ExecuteSQL shows the same characteristics as the later one.

http://www.technovisitors.com/2014/07/SPExecuteSQL-Vs-Execute-SQL-Server.html