Does running Microsoft .NET on SQL Server open a whole new set of
security risks?
Not really, unless you choose to allow security problems to occur.
The first layer of defense is that .NET isn't enabled when you install SQL Server.
The next layer of defense has to do with how much power you choose to expose;
allowing .NET in SQL Server to call out to Web Services could expose your database
engine to a host of problems. But keeping your .NET code-access capabilities
ratcheted down to safe level ensures that .NET won't crash your server while
still letting you leverage the advantages of .NET on your server. (When you
load an assembly into SQL Server, you have three potential security levels:
safe, unsafe, and external. You should usually use safe, but when you need limited
access to the local file system, Web services or another database, you can use
the external setting. I strongly discourage the use of unsafe code.)