Are certificate authorities required to obey to the signature algorithm (hashing) specified in the CSR?
The signature algorithm specified when creating the CSR corresponds to the message digest used to sign the request itself, it is not intented to ask the CA to prefer that algorithm when signing your certificate.
The MD used in the CSR establishes the level of confidence in your request, but does not imply what algorithm is used on the certificate since signing does not depend on that digest but on the public key.
Most CA stick to the same algorithm for a specific issuing certificate unless it were discovered to be "weak", ignoring what message digest you used in your request.
A good CA would reject any CSR signed with MD5 (for precaution since they shouldn't trust you), and should be forcing you to use SHA256 for any certificate you pretend to use for more than two years starting today (2014), since Microsoft (and maybe others) will be rejecting certificates signed with SHA-1 or lower on January 2017.