Doug Seven has a good article over on sqljunkies.com that talks about the 10 things that you shouldn't do with SQL Server.
10. Add a Low Privelage Account to the Admin Role
9. @@IDENTITY vs. SCOPE_IDENTITY
8. Fetch Semi-static Data on Each Request of a Resource
7. Include SQL Data Manipulation Language in Application Code
6. Abuse SELECT *
5. Create Stored Procedures without Exception Handling
4. Prefix Stored Procedures with "sp_"
3. You Don't Protect the Database Connection String
2. Accept All Input
1. Access the Database from the Application with the "sa" Account