Trusting CA Certificates by Thumbprint

First, a thumbprint (also called fingerprint) of a CA certificate is not sufficient to verify the trust chain. In order to validate the trust chain you need to have the public key of the CA which is contained in the CA certificate but not in the thumbprint. Still, you can have a collection of CA certificates and then define using the thumbprint which to trust and which not.

Whenever a certificate gets renewed the certificate fingerprint will change because the fingerprint is computed based on the full certificate, which includes the (changed) expiration. A public key fingerprint is more stable in this regard since a renewal might reuse the previous public key and in this case the public key fingerprint will not change. But while this is at least possible it is far from guaranteed. A CA might decide to use a different public key, for example because the previous one was considered too weak and not sufficiently future proof.