Both in d14 and d15, any parameter seems to be able to be updated. For example, if the tos_url and policy_url was updated, do not we have to ask the user for consent again? If the tos_url, policy_url and contacts were updated, can we still regard it as the same client? (I suspect, in this case, they should register as a new client.)
Since we are talking about consent, just the fact that client_id is the same probably would not be good enough to consider it as the same client.
These behavior are not defined right now, and I can conceive of an attack by a malicious client.
I think this may be a red herring, since the contents of what's at the tos_url or policy_url can change at any time (as far as the IdP is concerned).