Why do you say that using SSL is irrelevant?
Because SSL doesn't protect the database queries, just the web pages.
My client's site is hosted by a company that offers them a SQL server database as well. They are using this. Do you see that as a problem ?
Absolutely. If this data is so critical that they hesitate to give their own employees full access to it then why are they trusting some hosting company's employees with it?
I am assuming (maybe incorrectly) that it is patched/locked down enough.
First, that's a BIG assumption that should be backed up by BIG payments or BIG lawsuits if it proves untrue. Guess what, YOUR company is legally responsible for that data's safekeeping, not the hosting company.
The idea of the SSL obviously is to encrypt the data stream as it goes from client to server. Isnt that enough?
SSL isn't protecting the data stream between the application and database server at all. It's encrypting the stream between the application and the browser.
As far as the datamart is concerned, yes I want to extract it to put it on their own server. Its getting this extract to the server I am concerned about. Whatever the solution, its got to be something I can package up and automate somehow.
As cijori said, the database may be able to encrypt its traffic during a replication cycle. Replication can be automated in various ways. You need to get a good SQL Server consultant in to go over the possibilities with you.