If you got those, it's the newest M$SQL worm dubbed "Spida" (or was it SQLSnake).
It scans for M$SQL installations on this port, and tries to breach if the sa account is w/o pass, so Linux ppl are out of the line of fire once again (on this one).
This sig was on the snort-sigs mailinglist (one line, ok) file sql.rules:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:687; rev:1