Derivation variables ignored, installing from tarballs.nixos.org instead?

no, and it frequently comes up.

One thing you can do to prevent this is by supplying a name attribute to fetchurl (or helpers) that includes version information which will change the drv.

  fetchurl  = {
    url = https://.....;
    sha256 = "XXXX";
  };

will only check the sha.

  fetchurl  = {
    url = https://.....;
    sha256 = "XXXX";
    name = "${pname}-${version}-source";
  };

will make a new derivation when version of the outer attr set changes. (this assumes the outer set has the rec keyword)