You are right: Prior to SonarQube 7.2, an implementation of rule S3649 to detect SQL Injections was provided freely and open-source through the Sonar C# plugin. That implementation was quite naive, as it was essentially forbidding any kind of string concatenation to construct the query. This lead to many false-positive complains from our users, such as in this StackOverflow question. In the Java plugin, we had 3 other similar “user-injection” rules, that we eventually had to disable by default in the “Sonar way” quality profile because of too many unhappy users. In C#, the SQL Injection rule was the only “user-injection” rule delivered, and it still was enabled by default in “Sonar way”.
At the same time, we wanted to deliver the improved version of the rule: The one that correctly tracks user-provided data (e.g. from web frameworks) all the way to the SQL query. That, as you can imagine, takes quite more work compared to simply detecting and forbidding any kind of string concatenation.
Then, we did not want to deliver two versions of the same rule at the same time: This will only confuse our users, and anyway we no longer believed in the value generated by the trivial implementation ourselves.
So, it would not be correct to simply say that we moved a free feature into a paid one. Behind the scene, there is a completely different implementation, and comparing the two would be like trying to compare oranges and bananas. If you need more convincing on this, I invite you to play with the new rule and evaluate it on SonarCloud.io, where it is available for free for open-source projects.
Finally, answering your question about the upgrade notes: We only removed 1 rule out of 300+ in the Sonar C# plugin. We believe that the impact for most users is minimal, which is why we did not mention this point in the upgrade notes, where it would be impractical to list all minor changes. However, this is not a change we wanted to secretly hide. In fact, on the Sonar C# plugin, there is an explicit GitHub issue that was closed in version 7.2 to remove the rule.
I hope that this helps to give you a bit more context about what and why this rule S3649 changed. Please do let me know if you have any further question.