Is it still best practice to avoid using the default ports for SQL Server?
Historically, it has been recommended not to use the default ports for connections to SQL Server, as part of security best practice.
Which was asinine then and still asinine now. Security through arguably obscurity isn't security at all.
Is this advice still relevant
IMHO it was never relevant. It was required for some compliance purposes because the people drafting up those compliances did not understand what they were doing, again, IMHO.
Should ALL of the above ports be changed?
I wouldn't change any.
Even though security through obscurity isn't actual security I won't say there aren't any cases where it helps.
If an attacker wants to know where your service is listening they can easily find out, but in the event of a dumb automated attack you could be lucky if you changed the port.
The only time I can remember where it actually helped is during the time of SQL Slammer where SQL Server 2000 was vulnerable and a worm spread by generating random ip's and connecting to the default SQL Server browser port.
If I recall correctly it was official advice at the time to change the ports until you could patch your server (either because there wasn't a patch available immediately or because you didn't have a window)
For that worm to enter your network at the time you needed to have a SQL Server connected to the internet instead of behind a firewall, which you shouldn't, but anyhow, a non-default port number could have helped in that specific case.
I do however agree that if you have proper security in place the complexity you add probably doesn't outweigh the chances of it preventing an incident.
Historically, it has been recommended not to use the default ports for connections to SQL Server, as part of security best practice
No, it wasn't. Some misguided people may have presented it as such, but I've been doing security for 20+ years and changing default ports has always been a kind of "here is something you can do if you want which maybe sometimes in very specific circumstances provides a bit of additional security against some very specific threats" thing.
Is this advice still relevant?
Under very specific circumstances, depending on your threat model and risk analysis, there may be some instances in which this is sound advice. In the vast majority of cases, no, it isn't relevant nor was it ever.