Wow - thanks to @GaryMazzone, I now know that sp_executeSQL can handle "parameters" in the string variable - very nice!