As it says on the codex page for update_post_meta():
The new value of the custom field. A passed array will be serialized into a string.(this should be raw as opposed to sanitized for database queries)
So any values that you pass to it do not need to be escaped or serialized or anything else. Just pass in the values and WordPress will deal with it.