Not a Microsoft issue

The attack method here is just a generic SQL injection attack. All the attack tool does is search Google for URLs where the address ends in ".asp" and looks for a query-string parameter named "a". It then injects a chunk of T-SQL text which modifies the contents of every column of every table to include a piece of script.

You cut off this problem at the knees by not allowing user input to ever be processed as part of the SQL statement. To do this, always, always use parameterised queries. For preference I use stored procedures, but the key is to treat user input as a parameter value, never part of the statement. If you need a dynamically-shaped query, you can still use parameters.

There's simply nothing here that Microsoft can fix. It's coincidental that Microsoft technologies are attacked. You could use the same technique with Oracle (injecting PL/SQL text) and attack PHP-based servers by looking for a .php extension.

The traditional avenue for malware, of looking to exploit OS vulnerabilities, is drying up (particularly on Windows - Microsoft's Security Development Lifecycle is working). In comparison the number of application and particularly website vulnerabilities is exploding.

It should be easy

In Oracle, you simply create a separate schema user and don't allow them to modify table design or access the system schemas. It's actually a bit harder to do that in SQL Server (despite the GUI) as I recall, but it should be fairly easy.

Once you change the connection string, you're away. Nice and secure - anything which tries naughty things will fail. Yet few DBAs and developers seem to bother with this and have the misguided idea that another few dozen stored procedures that make coding much harder and less maintainable are the holy grail of web development.

Not a microsoft issue?

You pay a small fortune for SQL server, You pay a small fortune for Microsoft training on how use SQL Server.
They teach you to actively go out and make insecure sites.
But its not their fault!