Did you try the script I just posted? The original had an error; I'll update that post.
No, there's just the one salt, 4 bytes long.
SQL2012:
0x0200
ABCDEF12 - salt
xxxxx - SHA-512 hash (512 bits)
And for SQL 2005-2008R2:
0x0100
ABCDEF12 - salt
xxxxx - SHA-1 hash (160 bits)
And pwdencrypt() boils down to SHA-x(UCS-2/"Unicode" version of password + salt) - note that the salt comes second.