I tried this out on Windows 2003 to see how it reacts (Windows 2003 SP2; SQL Server 2005 Standard SP2 64-bit).
Using the SSMS GUI, the following commands are issued.
[font="Courier New"]-- Create the login
CREATE LOGIN [xxx] WITH PASSWORD=N'qwerty12!', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
--Command(s) completed successfully.
-- Change the password
ALTER LOGIN [xxx] WITH PASSWORD=N'zxcvbn12!'
--Command(s) completed successfully.
-- Change the password back to the original password
ALTER LOGIN [xxx] WITH PASSWORD=N'qwerty12!'
--Command(s) completed successfully.
-- Change to a password that is too short
ALTER LOGIN [xxx] WITH PASSWORD=N'abc'
--Msg 15116, Level 16, State 1, Line 1
--Password validation failed. The password does not meet Windows policy requirements because it is too short.
-- Change to a password that is not complex enough
ALTER LOGIN [xxx] WITH PASSWORD=N'abcdefgh'
--Msg 15118, Level 16, State 1, Line 1
--Password validation failed. The password does not meet Windows policy requirements because it is not complex enough.[/font]
From the above, the only two things that are enforced are
(1) Minimum password length
(2) Password must meet complexity requirements
NOTE that the GUI does not specify OLD_PASSWORD.
Now let's try changing the password this time including the OLD_PASSWORD.
[font="Courier New"]-- Change the password to a previously used password, specifying the old password
ALTER LOGIN xxx WITH PASSWORD = 'zxcvbn12!' OLD_PASSWORD = 'qwerty12!'
--Msg 15115, Level 16, State 1, Line 1
--Password validation failed. The password cannot be used at this time.
-- Change the password to a completely new password, specifying the old password
ALTER LOGIN xxx WITH PASSWORD = 'asdfgh12!' OLD_PASSWORD = 'qwerty12!'
--Command(s) completed successfully.[/font]
Interestingly, the old password does not seem to be required, but if specified SQL Server appears to check password history.
[font="Courier New"]-- Clean up
DROP LOGIN xxx[/font]