The common consensus appears to be that directly queried statements don't allow parameters, and that prepared statements do.
However in Go's database/sql package, you are allowed to use the ODBC parameters and send parameters to such things as db.QueryRow() and db.Query(). So it appears that they are functionally equivalent.
That being said, what is the point then, of first creating a statement, and then executing it? Let's say statements compile against the database first -- doesn't that increase load and thereby reduce performance since you're adding an extra trip? And since you can get parameters from Query/QueryRow, wouldn't that make statements a bad thing?