The sp_password sproc in sql server 2000 only required membership in the db_accessadmin db_securityadmin database roles and membership in the securityadmin server role to allow a user to change passwords w/o knowing the old password. However in sql server 2005/2008 the BOL says a user now needs the "CONTROL SERVER" permission to do this. What powers exactly does the CONTROL SERVER permission give a user?
Update: I found this:
CONTROL SERVER is a new permission as of SQL Server 2005 and it grants the same access as being a member of the sysadmin fixed server role. - http://www.sqlservercentral.com/blogs/brian_kelley/archive/2009/02/24/detecting-when-a-login-has-implicit-access-to-a-database.aspx
Update: Turns out the documentation is wrong. Just like SQL Server 2000, SQL Server 2008 sp_password still only seems to require membership in the db_accessadmin & db_securityadmin database roles and membership in the securityadmin server role to allow a user to change passwords w/o knowing the old password.