There is no open bracket in an UPDATE command:
UPDATE MyTable SET MyColumn = @MyParameter, MyOtherColumn = @MyOtherParamater, ... WHERE ...
But since the rest of the command uses Parameter, the WHERE clause should also, or the whole operation is still open to SQL Injection.