first of all congratulations for your blog!
Just some notes about this post:
On Microsoft SQL Server 2000 such query does not always return the hashes in the password field, even with their own Query Analyzer it returns NULL, depending on the Service Pack of the SQL Server itself (tested on SP0), you’ve to use a cast algorithm to do such, I implemented it on sqlmap, you can find the source code at http://sqlmap.sourceforge.net/dev/plugins.mssqlserver-pysrc.html#MSSQLServerMap.getPasswordHashes if you’re interested in further details.
Cain and Abel does the work properly cracking MSSQL password hashes, but I suggest you to give a try also to http://www.ngssoftware.com/products/database-security/ngs-sqlcrack.php, if you do not know it already. The algorithm implemented uses native DLL functions to speed up the process of cracking.

Cheers,
Bernardo