Did you try the script I just posted? The original had an error; I'll update that post.

No, there's just the one salt, 4 bytes long.

SQL2012:

0x0200

ABCDEF12 - salt

xxxxx - SHA-512 hash (512 bits)

And for SQL 2005-2008R2:

0x0100

ABCDEF12 - salt

xxxxx - SHA-1 hash (160 bits)

And pwdencrypt() boils down to SHA-x(UCS-2/"Unicode" version of password + salt) - note that the salt comes second.