Copied in part from full discussion here:
If you have:
1) Two feeds with the same package IDs
2) One has higher versions than the other
3) You specify the source via nuget.exe -s
NuGet.exe will resolve from the cache rather than the remote service, and generally the higher version will be chosen regardless of the package source you specify.
A suggested fix would be to check the remote source first and defer to it. Although checking the remote source first may force the download of the package due to the hash being different, this just becomes a race for who gets there first. It fixes the problem
in a very single-threaded, duplicative manner.
1) Ask for package A v1.0 from SourceA. Gets downloaded and installed in cache.
2) Ask for package A v1.0 from SourceB. Checks remote, compares to cache, fails hash check, overwrites cache and installs.
3) Ask for package A v1.0 from SourceA again, rinse and repeat compare/fail/download cycle.