diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8262bc8cb5..d65ce3ea82 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,11 +2,25 @@
 
 ### Added
 
-- A new provider configuration option `enableSecretMutable` allows treating changes to `Secrets` as updates instead of replacements.
-  This is similar to the `enableConfigMapMutable` option.
-  The default replacement behavior can be preserved for a particular Secret by setting its `replaceOnChanges` resource option to `[".stringData", ".data"]`.
+- The new `enableSecretMutable` provider configuration option treats changes to
+  `Secrets` as updates instead of replacements (similar to the
+  `enableConfigMapMutable` option).
+
+  The default replacement behavior can be preserved for a particular `Secret`
+  by setting its `immutable` field to `true`.
   (https://github.com/pulumi/pulumi-kubernetes/issues/2291)
 
+  **Note:** These options (`enableSecretMutable` and `enableConfigMapMutable`)
+  may become the default behavior in a future v5 release of the provider.
+  Programs that depend on the replacement of `Secrets` and `ConfigMaps` (e.g.
+  to trigger updates for downstream dependencies like `Deployments`) are
+  recommended to explicitly specify `immutable: true`.
+
+### Fixed
+
+- The `immutable` field is now respected for `ConfigMaps` when the provider is configured with `enableConfigMapMutable`.
+  (https://github.com/pulumi/pulumi-kubernetes/issues/3181)
+
 ## 4.17.1 (August 16, 2024)
 
 ### Fixed
diff --git a/provider/pkg/clients/clients.go b/provider/pkg/clients/clients.go
index d6d728db38..4905b9dd95 100644
--- a/provider/pkg/clients/clients.go
+++ b/provider/pkg/clients/clients.go
@@ -311,22 +311,21 @@ func FindCRD(objs []unstructured.Unstructured, kind schema.GroupKind) *unstructu
 	return nil
 }
 
+// IsSecret returns true if the resource has a Secret GVK.
 func IsSecret(obj *unstructured.Unstructured) bool {
 	gvk := obj.GroupVersionKind()
 	return (gvk.Group == corev1.GroupName || gvk.Group == "core") && gvk.Kind == string(kinds.Secret)
 }
 
+// IsConfigMap returns true if the resource has a ConfigMap GVK.
 func IsConfigMap(obj *unstructured.Unstructured) bool {
 	gvk := obj.GroupVersionKind()
 	return (gvk.Group == corev1.GroupName || gvk.Group == "core") && gvk.Kind == string(kinds.ConfigMap)
 }
 
-// Checks whether the given ConfigMap or Secret is marked as immutable.
+// IsMutable returns true if given ConfigMap or Secret is marked as immutable.
 func IsImmutable(obj *unstructured.Unstructured) bool {
-	val, found, err := unstructured.NestedBool(obj.Object, "immutable")
-	if !found || err != nil {
-		val = false
-	}
+	val, _, _ := unstructured.NestedBool(obj.Object, "immutable")
 	return val
 }