Is quoting the value of url() really necessary?

The W3C says quotes are optional, all three of your ways are legal.

Opening and closing quote just need to be the same character.

If you have special characters in your URL, you should use quotes or escape the characters (see below).

Syntax and basic data types

The format of a URI value is 'url(' followed by optional white space followed by an optional single quote (') or double quote (") character followed by the URI itself, followed by an optional single quote (') or double quote (") character followed by optional white space followed by ')'. The two quote characters must be the same.

Escaping special characters:

Some characters appearing in an unquoted URI, such as parentheses, white space characters, single quotes (') and double quotes ("), must be escaped with a backslash so that the resulting URI value is a URI token: '\(', '\)'.

Better use quotes because it's recommended by the newest standard and there're fewer edge cases.

According to the newest Editor's Draft of CSS Values and Modules Level 3 (18 December 2015)

A URL is a pointer to a resource and is a functional notation denoted by <url>. The syntax of a <url> is:
<url> = url( <string> <url-modifier>* )

The unquoted version is only supported for legacy reasons and needs special parsing rules (for escape sequences, etc.), thus being cumbersome and not supporting url-modifiers.

That means, the url(...) syntax is supposed to be a functional notation, which takes a string and a url-modifier as parameters. Use the quote notation (which produces a string token) would be more standard-compliant and introduce less complexity.

@SimonMourier's comment in the top answer is wrong, because he looked for the wrong spec. The url-token type is only introduced for the legacy special parsing rules, so that's why it does not have anything to do with quotes.