The supported method (per the release notes) would be to first migrate to 8.3(x) then to 8.4(x) then to 8.6(x) and finally to 9.0(x). ("x" being the current maintenance release within that minor release.)
However my experience is that the path you suggest also works. I would suggest 9.0(4) (or better yet 9.1(5)) as your final target unless there's some specific reason you have for only going to 9.0(3).
You will need to ensure you have 2 GB of RAM to upgrade a 5520 to 8.3 or higher. (Reference)
When you make that first upgrade to 8.3+, stop and verify all your NAT and access-list functionality. The parser will automatically migrate the command syntax but the success in doing so is not always 100%. Check the log file (automatically written to disk0) in addition to independently verifying the functions.
OK. 9.0(3) is "starred" but 9.0(4) also fixes 145 bugs that affect 9.0(3).
If it was me I'd go with option 1. But then I've upgraded over 100 ASAs in my time and only had to call the TAC about 2-3 times on it - each time it ended up being an unpublished software bug-related issue.
If you want the safest and completely Cisco-supported method the last one is what is recommended.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...