I tried this out on Windows 2003 to see how it reacts (Windows 2003 SP2; SQL Server 2005 Standard SP2 64-bit).

Using the SSMS GUI, the following commands are issued.

[font="Courier New"]-- Create the login

CREATE LOGIN [xxx] WITH PASSWORD=N'qwerty12!', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON

--Command(s) completed successfully.

-- Change the password

ALTER LOGIN [xxx] WITH PASSWORD=N'zxcvbn12!'

--Command(s) completed successfully.

-- Change the password back to the original password

ALTER LOGIN [xxx] WITH PASSWORD=N'qwerty12!'

--Command(s) completed successfully.

-- Change to a password that is too short

ALTER LOGIN [xxx] WITH PASSWORD=N'abc'

--Msg 15116, Level 16, State 1, Line 1

--Password validation failed. The password does not meet Windows policy requirements because it is too short.

-- Change to a password that is not complex enough

ALTER LOGIN [xxx] WITH PASSWORD=N'abcdefgh'

--Msg 15118, Level 16, State 1, Line 1

--Password validation failed. The password does not meet Windows policy requirements because it is not complex enough.[/font]

From the above, the only two things that are enforced are

(1) Minimum password length

(2) Password must meet complexity requirements

NOTE that the GUI does not specify OLD_PASSWORD.

Now let's try changing the password this time including the OLD_PASSWORD.

[font="Courier New"]-- Change the password to a previously used password, specifying the old password

ALTER LOGIN xxx WITH PASSWORD = 'zxcvbn12!' OLD_PASSWORD = 'qwerty12!'

--Msg 15115, Level 16, State 1, Line 1

--Password validation failed. The password cannot be used at this time.

-- Change the password to a completely new password, specifying the old password

ALTER LOGIN xxx WITH PASSWORD = 'asdfgh12!' OLD_PASSWORD = 'qwerty12!'

--Command(s) completed successfully.[/font]

Interestingly, the old password does not seem to be required, but if specified SQL Server appears to check password history.

[font="Courier New"]-- Clean up

DROP LOGIN xxx[/font]