Some web servers will allow this, but we recommend (for security reasons) a new CSR for every renewal.

If you use the original CSR and someone has previously acquired the Private Key without your knowledge then you are still at risk of attacks during encrypted sessions.
If you use a new CSR then anyone possessing the Private Key looses the ability to decrypt your encrypted sessions when you apply the new certificate issued from the new CSR.