This is the purpose of the Gemfile.lock file – running bundle install with a Gemfile.lock present only installs using the dependencies listed in there; it doesn’t re-resolve the Gemfile. To update dependencies / update gem versions, you then have to explicitly do a bundle update, which will update your Gemfile.lock file.
If there wasn’t a Gemfile.lock, deploying code to production would be a major issue because, as you mention, the dependencies and gem versions could change.
In short, you should be generally safe using the pessimistic version constraint operator (~>) as rubygems.org advises. Just be sure to re-run your tests after you do a bundle update to make sure nothing breaks.
There’s a nice article by Yehuda Katz that has a little more info on Gemfile.lock.