FIX: sp_password Does Not Validate Old Password
  
PSS ID Number: Q105001
Article last modified on 10-31-1994
 
4.20
 
WINDOWS
 

----------------------------------------------------------------------
The information in this article applies to:
 
  - Microsoft SQL Server version 4.2
----------------------------------------------------------------------
 
BUG# NT: 485 (4.2)
 
SYMPTOMS
========
 
The sa can use sp_password to change another logins password. If the sa
supplies an invalid old password, SQL Server will change the password to
the new value, then issue the error message:
 
   Password has been changed.
 
CAUSE
=====
 
The sa user is the only login allowed to specify a login parameter with
sp_password. In this case, the documentation states that sp_password will
validate the old password if it is given, and reject it if wrong.
sp_password is issuing the error message, but not stopping the password
change.
 
This applies only to sa, as that is the only login capable of changing the
password for another login. All other logins can only change their own
password, and in this case the password validation is operating correctly.
 
WORKAROUND
==========
 
Connect to SQL Server using the login ID whose password you desire to
change, and execute sp_password without specifying the login_id
parameter, similar to the following:
 
   sp_password oldpassword, newpassword
 
When executed this way, sp_password does validate the old password.
 
STATUS
======
 
Microsoft has confirmed this to be a problem in Microsoft SQL Server
version 4.2. This problem was corrected in SQL Server version 4.21. For
more information, contact your primary support provider.
 
Additional reference words: 4.20 Windows NT
KBCategory: kbprg
KBSubcategory: SSrvWinNT
 
=============================================================================
 
Copyright Microsoft Corporation 1994.
