That depends on how you define letters and numbers. There are certain Unicode characters that can result in SQL injection. This is sometimes called SQL Smuggling.
There are cases of SQL Injections leveraging the implicit conversion of Unicode homoglyphs from Unicode character string types (NCHAR, NVARCHAR) to character string types (CHAR, VARCHAR). A character such as ʼ (U+02BC) in NVARCHAR may slip through the escaping routine and get translated to ' (U+0027) in VARCHAR, which may result in an SQL Injection when such a string is used to build an SQL statement dynamically.
However, your validation is pretty strict (only characters from the Basic Latin Unicode block and Unicode whitespace characters) and I can’t think of any case where this would fail.
https://security.stackexchange.com/a/54958
Having said that, prepared statements / parameterized queries offer the best protection against SQL injection. If the allowable character set is expanded through a requirements change years down the road, the person doing the change may be unaware of the security implications of allowing additional characters.