I would first ask how quickly they want to be hacked. I can think of zero reasons that a server running Microsoft SQL Server would need to be in the DMZ. Put your front facing server in the DMZ, install certificates, open a port to communicate to SQL from the server in the DMZ to the database server in the firewall. That is just me. I used to manage the database infrastructure for a very large bank and we never put a SQL server in the DMZ.