Yes, you can separate them, but no, you can't "neuter" sa in MS-SQL.
The MS-SQL security model is more complex and a lot "richer" than the Sybase model. It sounds to me like you'd like one serveradmin and a separate securityadmin, which would get pretty close to what you've described.
no, I would like to have one login which can do all admin stuff like sysadmin, but except for creation/updates to the logins/roles etc and one login with which one can do sso stuff like creating logins/modifying logins, granting user-defined roles, change passwords etc.
But a login with only serveradmin role cant do things like creating a database etc. So to my understanding, I have to give all server-roles (except for sysadmin) to one login to do all DBA related things and then give secuity administrator role to one login who should act as SSO independently.
As a general rule of thumb, I'm allergic to the idea of having only one person with any given responsibility. I tend to deal with more disaster related issues that the average admin, so I tend to think more about how to recover from disasters... Having only one person able to perform a given operation is (from at least my point of view) a reciepe for a disaster, just biding its time to happen!
The beauty of Microsoft's more granular security is the ability to take a "buffet" approach, serving up what you need, to who needs it, as you need to. Sybase's approach is simpler, but that means that you need to tailor your operations to its security model instead of tailoring its security model to meet your needs!
I really appreciate ur comments but it varies from company to company that how they use their resources. Giving admin access to one group makes easy to control the actions of admin group members.
Since I have been working in sybase all the time, so i am more happy with sybase approach but I definately agree that SQL server provides more granular secuirty settings.