I wish the documentation was consistent, but we have the SQL Server 2016 pssword policy page telling us we have to have 3 out of the 4 so we could have just upper case, lower case and numbers or just upper case, lower case, and symbols; and the SQL Server 2016 strong passwords page that tells us we have to have numbers, we have to have symbols, and we have to save some letters (either upper case or lower case or both). These two both deliver the answer 3 for this question, but they contradict each other as to whether numbers are mandatory and whether symbols are mandatory. Add to that "at least 8" and "more than 8" in various places and there appear to be four different stories as to what counts as a strong password in SQL Servr 2016!

Of course the idea that 8 (or 9) character passwords are strong is ludicrous anyway.

Good question and answer, but lousey microsoft documenation.