[tptacek]

Unlike SHA-1, which has a 2^60 local-collision attack and a 160 bit output (so an 80 bit birthday bound), SHA-2 has no theoretical attacks and a 128 bit security bound.

You can do the math on how much it would cost to find a SHA-2 collision; for instance, you can steal Skein team member Jesse Walker's back of the envelope calculations, assigning 2^61 cycles and 2^8 dollars to a server-year. Now multiply the number of cycles a block of SHA256 takes by 2^128.

I don't think a direct attack on SHA256 is a productive use to put the world's computers.